D.1 Explicit authentication and authorization

28.5333GPPArchitecture frameworkManagement and orchestrationRelease 17TS

Tools: ARFCN - Frequency Conversion for 5G NR/LTE/UMTS/GSM

NOTE 1: the authentication (administrative) service consumer could be a portal or other operator tool acting on behalf of an administrator of operator.

Precondition:

Mutual authentication between authentication (administrative) service consumer and authentication/management service producer, as well as between MnS producer and authentication service producer, has been done, according to operator’s implementation.

Authentication service producer contains authentication information required to perform authentication such as identities (including credential of the identity), and/or groups, and/or authentication policies. The specific information required will depend on the implementation.

The MnS consumer successfully authenticated (or validated the authenticity of) authentication/management service producer.

Procedure:

101. When authentication request is received, authentication service producer gets the identifier and credential of the MnS consumer, along with other context information (e.g. address of the client) from the request.

NOTE 2: challenges may be exchanged between MnS consumer and authentication service producer for some authentication protocols.

102. Based on identifier in the request, authentication service producer gets identity information, e.g. status of the identity, associated group(s) of the identity, credential of the identity, etc., from data store. Then the producer authenticates the MnS consumer by validating the identity information and other context (e.g. time, location of the consumer) according to authentication policies (e.g. authentication factor, protocol, supported time, location, status of the consumer, etc. ) associated to the group(s) the MnS consumer belongs to.

103. The authentication service producer updates the authentication state of the MnS consumer in the data store after authenticated the MnS consumer.

NOTE 3: If authenticate successfully and authentication assertion is supported by the protocol, the authentication service producer constructs authentication assertion and may update the assertion of the MnS consumer in the data store.

104. If authenticate successfully and authentication assertion is supported by the protocol, the authentication service producer sends successful response with an authentication assertion to the MnS consumer.

105. If authenticate successfully and authentication assertion is not supported by the protocol, the authentication service producer sends successful response without authentication assertion to the MnS consumer.

106. If fail for authentication, the authentication service producer sends failure response to the MnS consumer.

After the MnS consumer is authenticated:

If access token is supported by the MnS producer and consumer:

201. The MnS consumer gets access token from authorization service producer.

202. The authorization service producer validates the assertion and construct access token.

203. The authorization service producer returns access token to the MnS consumer.

204. The MnS consumer accesses MnS with the access token.

205. The MnS producer validates the token.

206. The MnS producer performs the operation and returns result to the MnS consumer if the token is valid.

If access token is not supported by the MnS producer and consumer:

207. The MnS consumer accesses MnS from MnS producer.

208. The MnS producer validate the authentication assertion and check permission of the MnS consumer with authorization service producer.

NOTE 4: The MnS producer may authorize the MnS request of MnS consumer according to local policies.

209. The MnS producer performs the operation and returns result to the consumer if the MnS request is allowed according to permissions.