ID-WSF

Identity Web Services Framework

Services
Introduced in Rel-8
A web services framework, profiled from the Liberty Alliance Project, that defines standardized protocols for discovering, invoking, and managing identity-related web services in a secure and privacy-respecting manner. It enables services to interact with user identity data.

Description

The Identity Web Services Framework (ID-WSF) is a comprehensive set of specifications, also originating from the Liberty Alliance Project (LAP) and adopted by 3GPP, that builds upon the Identity Federation Framework (ID-FF). While ID-FF handles federation and authentication, ID-WSF provides the infrastructure for secure, authorized, and privacy-aware access to web services that expose or consume identity-related information. It essentially defines a service-oriented architecture (SOA) for identity data, enabling applications to interact with a user's profile, preferences, or other attributes stored across different providers.

Architecturally, ID-WSF introduces key roles: the Principal (user), the Identity Provider (IdP), Service Providers (SPs), and Discovery Services. A central concept is the Identity Service, which is a web service that offers access to some aspect of a principal's identity data (e.g., a contact book service, a presence service, a location service). The framework specifies core components: the Discovery Service (DS), which acts as a registry for finding what identity services are available for a given user and how to access them; SOAP-based binding with WS-Security for secure message exchange; and detailed protocols for service invocation, authorization, and consent management.

How it works involves several steps. First, a client application (a WSF Relying Party) needs to access a user's identity service. It contacts the user's Discovery Service (often hosted by the IdP), presenting a security token (like a SAML assertion from ID-FF). The DS, after validating the token and checking authorization policies, returns a service endpoint reference (an URL) and the necessary security requirements for accessing the desired identity service. The client then directly invokes that service using SOAP messages secured with WS-Security, adhering to the user's privacy preferences and the service's access control rules. This decouples service discovery from service invocation and enforces user-centric control.

In the 3GPP context, ID-WSF is profiled to work seamlessly with the 3GPP authentication and the ID-FF framework. It allows mobile network operators to expose subscriber data (with explicit user consent) to trusted third-party application providers in a controlled, standardized way. For example, a user could grant a navigation app permission to access their coarse network-derived location via a standardized ID-WSF location service, without the app needing direct, proprietary access to network nodes. This creates a rich ecosystem of identity-aware services while maintaining security and user privacy.

Purpose & Motivation

The purpose of ID-WSF is to address the challenge of securely and programmatically accessing distributed identity information in a service-oriented world. Before such frameworks, applications that needed user data (like contacts or location) either had to store it themselves (creating data silos and redundancy) or develop custom, brittle integrations with each data source (like a mobile operator's network). This was inefficient, insecure, and offered users little control over how their data was shared.

3GPP's profiling of ID-WSF was driven by the vision of the mobile operator as a trusted hub for identity and personal data. It enables new revenue streams for operators by allowing them to offer identity data as a service to third parties. For application developers, it provides a standardized, single API-like framework to access a wealth of user-context information (with permission), simplifying development and enabling richer, more personalized services.

It solves critical problems of interoperability and privacy. By standardizing the service discovery, invocation, and security protocols, it allows any compliant service (from any provider) to be discovered and used by any compliant client. Its built-in consent and authorization mechanisms put the user in the driver's seat, requiring explicit permission for data sharing and allowing them to set granular rules. This user-centric model was a key advancement over previous, more provider-centric data access models.

Key Features

  • Defines a standardized framework for discovering and invoking identity-related web services
  • Central role of a Discovery Service (DS) for dynamic service endpoint lookup
  • Uses SOAP/WS-* standards with WS-Security for secure, reliable messaging
  • Incorporates strong authorization and user consent mechanisms for privacy control
  • Enables the mobile operator to host and offer identity services (e.g., profile, location)
  • Promotes interoperability by decoupling service consumers from service providers via the DS

Evolution Across Releases

Rel-8 Initial

Initially profiled and adopted the Liberty Alliance ID-WSF 2.0 specifications. Integrated it with the 3GPP security infrastructure, particularly the Generic Authentication Architecture (GAA) and ID-FF. Defined how 3GPP network entities could act as Discovery Services and host Identity Services (e.g., for presence or group management). Established the foundational protocols for service discovery and secure invocation.

TS 33.980
Rel-9

Enhanced integration with IMS services, such as Presence and Group Management. Defined specific 3GPP identity service types and refined the profiling for mobile environments. Improved specifications for the interfaces between the DS and HSS.

TS 33.980
Rel-10

Maintenance and interoperability testing refinements. Alignment with evolving web services standards in the broader industry.

TS 33.980
Rel-11

Continued maintenance and clarification of implementation guidelines. Focus on ensuring the framework worked effectively for deployed IMS-based service enablers.

TS 33.980
Rel-12

Similar to ID-FF, development focus shifted. ID-WSF was maintained as a stable framework, but industry trends moved towards RESTful APIs and lighter-weight protocols like OpenID Connect and OAuth 2.0 for similar purposes.

TS 33.980
Rel-13

Maintenance phase. The specifications supported existing deployments of advanced IMS communication services.

TS 33.980
Rel-14

Maintenance and stability. No significant new technical features added to the ID-WSF profile.

TS 33.980
Rel-15

In the 5G era, the concept of Network Exposure Functions (NEF) and Service-Based Interfaces (SBI) using HTTP/2 and JSON provide a more modern paradigm for exposing network capabilities and data. ID-WSF remains for legacy service support.

TS 33.980
Rel-16

Continued maintenance. The framework represents an important historical step in standardizing identity web services, but its SOAP/WS-* foundation is largely supplanted by RESTful architectures in new 5G work.

TS 33.980
Rel-17

Maintenance. Ensures continued operation for services built on this architecture.

TS 33.980
Rel-18

Maintenance. The specifications are part of 3GPP's portfolio of stable, mature service enabler standards.

TS 33.980
Rel-19

Expected to remain in maintenance, supporting the longevity of services that implemented the ID-WSF model.

TS 33.980

Defining Specifications

SpecificationTitle
TS 33.980 3GPP TR 33.980