Mobile Provided Identity Authentication on the Web tle pt by Jonas Högberg, Ericsson for W3C ’ s WS on Identity in the Browser tle pt 24-5th May ‘ 11 Mountain View, CA, USA
Mobile Provided Identity Authentication itle on the Web pt ws › SSO with OpenID l 1 pt – OpenID is becoming the framework of choice for Identity Management in web-based -5 services. Many well-known service providers support OpenID. pt – OpenID is therefore of interest to telecoms operators enabling them to offer Single Sign-On (SSO) to their users for a wide range of applications. – Operators are particularly interested in leveraging their subscriber databases and SIM credentials (i.e. GBA) for providing OpenID-based SSO to their users. ˆˇ s or Ericsson Internal | 2011-05-23 | Page 2 rea
Mobile Provided Identity Authentication itle on the Web pt ws › OpenID – Quick Recap l 1 pt -5 User-Agent pt (browser) 3) HTTP Redirect 4) User authenticates (out of scope) End-User ˆˇ OpenID Provider (OP) 5) HTTP Redirect (user identity, signature) 1) Login OpenID intentionally leaves the authentication protocol between client and OP unspecified (step 4). 2) Discover OpenID Provider 6) Verify signature Relying Party (RP) Appstore, OAuth authorization server, or some other service provider s or Ericsson Internal | 2011-05-23 | Page 3 rea
Mobile Provided Identity Authentication itle on the Web pt ws › OpenID and GBA Inter-working l 1 pt – OpenID intentionally leaves the authentication protocol between client and the -5 OpenID Provider OP unspecified. pt – Possible to use GBA (Generic Bootstrapping Architecture) for client authentication – The inter-working of OpenID and GBA is specified in 3GPP TS 33.924 – Basically, OP assumes the role of a NAF and the client authenticates using HTTP Digest with B-TID as username and Ks_NAF as password ˆˇ s or Ericsson Internal | 2011-05-23 | Page 4 rea
Mobile Provided Identity Authentication itle on the Web pt ws › Combined Architecture of OpenID and GBA l 1 pt Operator -5 (IMSI, K) Zh pt HSS BSF GBA Ub Zn ˆˇ HTTP (Ua) SIM (IMSI, K) OpenID Provider OP (NAF) Operator or WAC HTTP OpenID RelyingParty Operator, WAC, or outside party s or Ericsson Internal | 2011-05-23 | Page 5 rea
Mobile Provided Identity Authentication itle on the Web pt ws › Benefits l 1 pt – OpenID serves as a bridge between the Telco world (AKA, GBA, -5 Diameter, etc) and the web world pt – Easy for the service provider (relying party) to integrate with the OpenID provider – The combination with GBA gives high security and seamless user ˆˇ experience – Based on industry standards: › GBA specified in 3GPP TS 33.220 › GBA and OpenID inter-working specified in 3GPP TS 33.924 › OpenID specified by OpenID Foundation (OIDF) – The service provider could be the Operator, WAC, or perhaps most interesting, an outside party s or Ericsson Internal | 2011-05-23 | Page 6 rea
Mobile Provided Identity Authentication itle on the Web pt ws › OpenID and GBA inter-working UC to logon to a service l 1 pt that is not provided by the operator/carrier. -5 pt Mobile TV ˆˇ Internet SIM s or Ericsson Internal | 2011-05-23 | Page 7 rea
Mobile Provided Identity Authentication itle on the Web pt ws › Open Issues: l 1 pt – The browser must be GBA enabled: how can we add this -5 functionality? Plug-in? Passing of cookies? pt – How does the Relying Party (i.e. service provider) discover the OpenID Provider? › If the OpenID provider is hosted by the Operator: ˆˇ - Use extra HTTP header with an operator ID (MNC + MCC) - User selects his operator from a list - User enters the URL of the OpenID provider – Terminal support for GBA s or Ericsson Internal | 2011-05-23 | Page 8 rea
Mobile Provided Identity Authentication itle on the Web pt ws › Simple Network Architecture for GBA l 1 pt -5 pt ˆˇ s or Ericsson Internal | 2011-05-23 | Page 10 rea
Mobile Provided Identity Authentication itle on the Web pt ws l 1 › Simple OpenID Network Architecture pt -5 pt ˆˇ s or Ericsson Internal | 2011-05-23 | Page 11 rea
Mobile Provided Identity Authentication itle on the Web pt ws › Combined OpenID and GBA Network Architecture l 1 pt -5 pt ˆˇ s or Ericsson Internal | 2011-05-23 | Page 12 rea
Mobile Provided Identity Authentication itle on the Web pt ws › Signaling: l 1 pt RP UE OP (NAF) BSF -5 pt 1) Login 2) Discover OP 3) (optional) A security association is established between OP and RP ˆˇ 4) HTTP 302 Redirect https://op.operator.com 5) HTTP 401 Unauthorized realm="3GPP-bootstrapping@op.operator.com” 6) If no valid Ks is available within the UE, bootstrapping is performed [details are omitted] 7) HTTP GET (username = B-TID, digest) 8) Look up Ks_NAF using B-TID and verify digest 9) Possibly further interaction 10) HTTP 302 Redirect https://rp.com (identifier, signature) 11) Verify signature s or Ericsson Internal | 2011-05-23 | Page 13 rea
Recommend
More recommend
