ID-FF

Identity Federation Framework

Security
Introduced in Rel-8
A framework, as profiled by the Liberty Alliance Project (LAP), that enables secure identity federation across different administrative domains and service providers. It allows users to use a single set of credentials to access multiple services.

Description

The Identity Federation Framework (ID-FF) is a set of specifications, originally developed by the Liberty Alliance Project (LAP), that 3GPP has adopted and profiled for use in mobile networks, particularly within the IP Multimedia Subsystem (IMS). Its primary function is to establish a trusted framework for identity federation, single sign-on (SSO), and identity-based web services. Federation is the process of linking a user's digital identity across multiple distinct identity management systems, allowing authentication performed in one domain (the Identity Provider, IdP) to be trusted and accepted in another domain (the Service Provider, SP).

Architecturally, ID-FF defines roles such as the Principal (the user), the Identity Provider (IdP), and the Service Provider (SP). It specifies protocols and schemas for establishing federated identities, managing name identifiers, and propagating authentication assertions. A key component is the use of Security Assertion Markup Language (SAML) assertions, which are XML-based tokens that carry authentication and authorization statements about a principal. The framework defines how these assertions are created, signed, and exchanged between the IdP and SP to establish a security context without the user needing to re-authenticate.

How it works begins with a user attempting to access a service at an SP. If the user does not have a local account, the SP can redirect the user's request to a trusted IdP (with which the user's identity is federated). The IdP authenticates the user (e.g., using SIM-based authentication in the 3GPP context) and then generates a signed SAML assertion containing the user's authenticated identity and attributes. This assertion is delivered back to the SP, either via the user's browser (artifact or POST binding) or via a back-channel. The SP validates the assertion's signature and trust relationship with the IdP and then grants the user access based on the asserted identity. This process enables seamless cross-domain access.

In the 3GPP ecosystem, particularly for IMS-based services, ID-FF is crucial for enabling service providers outside the mobile operator's direct control (e.g., third-party application providers) to leverage the strong authentication provided by the operator's network. The 3GPP network acts as the powerful IdP, using the credentials stored on the UICC (SIM card). This allows users to access a wide range of web and IMS services with a consistent, secure identity derived from their mobile subscription, enhancing both user experience and security.

Purpose & Motivation

The purpose of ID-FF in 3GPP is to solve the problem of identity silos and fragmented user logins in the burgeoning world of mobile internet and IMS services. Before federation, users had to maintain separate usernames and passwords for every service provider, leading to poor user experience, password fatigue, and weaker security practices (e.g., password reuse). For service providers, implementing and managing their own authentication systems was costly and complex.

3GPP's adoption of ID-FF was motivated by the need to leverage the mobile network's inherent strong authentication capabilities (SIM-based) for services beyond basic network access. It allows mobile operators to become trusted identity brokers. This creates new business models, such as identity-as-a-service, and enables secure, convenient access to a plethora of third-party services—from streaming and gaming to enterprise applications—using the mobile identity as a key.

It addresses the limitations of previous ad-hoc or proprietary single sign-on solutions by providing a standardized, interoperable framework based on open specifications (Liberty Alliance/SAML). This standardization is critical for creating a scalable ecosystem where any service provider can integrate with any operator's identity platform. Furthermore, it enhances privacy through mechanisms like pseudonymous identifiers and user consent for attribute sharing, giving users control over how their identity information is disseminated across different services.

Key Features

  • Enables identity federation between distinct administrative domains (IdP and SP)
  • Supports Single Sign-On (SSO), reducing repeated authentication prompts
  • Utilizes SAML-based assertions for secure transmission of authentication and attribute statements
  • Defines protocols for federation establishment, single logout, and name identifier management
  • Allows the mobile network operator to act as a strong Identity Provider (IdP)
  • Supports privacy through the use of opaque, pairwise pseudonymous identifiers for users

Evolution Across Releases

Rel-8 Initial

Initially profiled and adopted the Liberty Alliance ID-FF 1.2 specifications for use within the 3GPP IMS architecture. Defined the framework for using the 3GPP network (specifically the Home Subscriber Server/HSS and IMS) as an Identity Provider, enabling federated access to IMS-based and external web services. Established the basic procedures for federation, single sign-on, and identity mapping.

TS 33.980
Rel-9

Enhanced integration with the Generic Authentication Architecture (GAA) and bootstrapping. Improved specifications for the Zh and Zn interfaces between the HSS/HLR and the Liberty-enabled functions.

TS 33.980
Rel-10

Maintenance and interoperability refinements. Alignment with updates in the underlying Liberty Alliance and SAML standards.

TS 33.980
Rel-11

Continued maintenance and clarifications. Focus on ensuring stable operation within the broader IMS service deployment landscape.

TS 33.980
Rel-12

Work shifted towards the broader 3GPP Generic Authentication Architecture (GAA) and the more modern OpenID Connect framework. ID-FF specifications were maintained but not significantly enhanced.

TS 33.980
Rel-13

Maintenance phase. The framework remained part of the toolkit for legacy and specific IMS service deployments.

TS 33.980
Rel-14

Maintenance and stability fixes. No major new features added to the ID-FF profile.

TS 33.980
Rel-15

With the advent of 5G, identity management evolved towards new paradigms like 5G Authentication and Key Agreement (5G AKA) and the Security Edge Protection Proxy (SEPP). ID-FF remained as a legacy capability for IMS, with focus moving to new frameworks.

TS 33.980
Rel-16

Continued maintenance. The role of federated identity in 5G is increasingly addressed by standards like OpenID Connect, which is profiled for certain 5G network function interactions.

TS 33.980
Rel-17

Maintenance. The specifications ensure backward compatibility for services still relying on the Liberty ID-FF framework.

TS 33.980
Rel-18

Maintenance. The framework is considered a stable, mature component of the 3GPP security and identity architecture.

TS 33.980
Rel-19

Expected to remain in maintenance mode, supporting existing deployments while newer identity federation technologies are adopted for advanced 5G services.

TS 33.980

Defining Specifications

SpecificationTitle
TS 33.980 3GPP TR 33.980