4 General

24.4823GPPMission Critical Services (MCS) identity managementProtocol specificationRelease 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

4.1 Identity management

The Identity Management functional model for MC services is shown in figure 4.1-1 below and consists of the identity management server located in the common services core and the identity management client located in the MC UE. The IdM server and the IdM client in the MC UE establish the foundation for MC services user authentication and user authorisation.

Figure 4.1-1: Functional model for MC services identity management

The CSC-1 reference point, between the IdM client in the UE and the Identity Management server, provides the interface for user authentication. CSC-1 supports OpenID Connect Core 1.0 [6] and IETF RFC 6749 [5].

The OpenID Connect profile for MC services is implemented as described in 3GPP TS 33.180 [17]. The MC services user authentication, the MC services user authorisation, the OpenID Connect Core 1.0 [6] and the OpenID Connect profile described in 3GPP TS 33.180 [17] for MC services forms the basis of the MC services identity management architecture.

Subclause 6.2.1 and subclause 6.3.1 describes the procedures for the MC services user authentication. OIDC is flexible with respect to the user authentication mechanism used. As 3GPP TS 33.180 [17] has indicated that username and password authentication is mandatory to support, that mechanism is included in subclause 6.2.1 and subclause 6.3.1, although other mechanisms are possible.

When the MC services user is authenticated, the procedure will provide an id token, an access token and a refresh token, which are all described in 3GPP TS 33.180 [17]. The access token is scoped to the services the MC services user is authorised for, e.g., group management services, key management services and MC services. The access token will be utilized for MCPTT service authorisation, MCData service authorisation and MCVideo service authorisation as documented in 3GPP TS 24.379 [12], 3GPP TS 24.282 [22] and 3GPP TS 24.281 [21] respectively.

After an MC service user has obtained an access token from their home IdM server, they can acquire a security token from their home IdM server by means of the procedures of subclause 6.2.2, subclause 6.3.2. The security token can be used to acquire an access token from the IdM server of a partner system to allow access to resources in the partner system’s domain by means of the procedures of subclause 6.2.3 and subclause 6.3.3.