LAP

Liberty Alliance Project

Security
Introduced in Rel-8
A now-sunset industry consortium that developed open standards for federated digital identity, single sign-on (SSO), and identity-based web services. Its specifications, notably the Identity Federation Framework (ID-FF), influenced early 3GPP work on authentication and service access, particularly for IP Multimedia Subsystem (IMS) and non-3GPP access.

Description

The Liberty Alliance Project (LAP) was not a 3GPP-created technology but an external standards body whose work was referenced and adopted within certain 3GPP specifications, primarily those dealing with security and service access. Its core contribution was the Liberty Identity Federation Framework (ID-FF), which provided a protocol suite for federated identity management. Federation allows a user's identity and authentication credentials from one domain (the Identity Provider, or IdP) to be trusted and used in another domain (the Service Provider, or SP), enabling seamless cross-domain single sign-on (SSO). Within 3GPP, this concept was integrated to facilitate secure access to IMS and other IP-based services, especially from non-3GPP access networks like Wi-Fi.

Architecturally, LAP's framework introduced key roles: the Principal (user), the Identity Provider (which holds the user's master credentials), and the Service Provider. The protocols allowed for the creation of a federated context or "circle of trust" between these entities. Technically, this involved browser-based redirects using artifacts or SAML assertions to convey authentication statements. In a 3GPP context, the Home Subscriber Server (HSS) or a dedicated Authentication, Authorization, and Accounting (AAA) server could act as the Identity Provider. A web portal or IMS Application Server could act as the Service Provider. When a user attempted to access a service, the SP would redirect the user's browser to the IdP (the 3GPP network) for authentication. After successful 3GPP authentication (e.g., using SIM credentials), the IdP would send a cryptographically signed assertion back to the SP, confirming the user's identity and authentication status, granting access without requiring a separate password.

This mechanism was particularly detailed in 3GPP specification TS 33.980, which profiled the use of Liberty ID-FF for 3GPP systems. It defined how 3GPP network entities should generate and process Liberty artifacts and assertions, mapping 3GPP subscriber identifiers (like IMSI or IMPI) into the federated identity model. The framework also supported identity federation establishment, single logout, and simple consent-based attribute sharing. While LAP itself has been superseded by later standards like SAML 2.0 and OpenID Connect, its foundational concepts of identity federation became a critical component in enabling secure, user-friendly access to multimedia services across heterogeneous access networks in the 3GPP ecosystem.

Purpose & Motivation

The Liberty Alliance Project was formed in 2001 by a consortium of companies to create an open alternative to proprietary single sign-on systems, most notably Microsoft's Passport (now Windows Live ID). Its primary purpose was to address the growing need for secure, privacy-respecting, and interoperable digital identity management across the internet. Before federation standards, users had to maintain separate usernames and passwords for every service, leading to poor user experience and security risks like password reuse. For network operators and service providers, managing these isolated identities was cumbersome and limited service reach.

3GPP's adoption of LAP specifications, beginning in Release 8, was motivated by the need to securely extend 3GPP-based authentication (like SIM-based authentication) to non-3GPP IP access networks and web services. As IMS and mobile data services evolved, users expected to access the same multimedia services from their home Wi-Fi or a public hotspot as they did from their cellular connection. The problem was how to leverage the strong, SIM-based security of the 3GPP domain in these untrusted, IP-based domains without compromising security or user experience. LAP's federated identity framework provided a standardized solution.

It solved the problem by allowing the 3GPP network (the home operator) to act as a trusted Identity Provider. A user could authenticate once with their home network, and that authentication could be federated to any Service Provider (e.g., an IMS application, a partner video service) that trusted the operator's IdP. This eliminated the need for service-specific passwords, strengthened security by using robust 3GPP authentication methods, and enabled seamless service access across different technological domains. It was a key enabler for early fixed-mobile convergence and the vision of ubiquitous multimedia service access.

Key Features

  • Federated identity management enabling Single Sign-On (SSO) across different administrative domains
  • Use of SAML-based assertions and artifacts for secure transmission of authentication statements
  • Support for identity provider (IdP) initiated and service provider (SP) initiated SSO flows
  • Mechanisms for federated logout to terminate sessions across all linked service providers
  • Framework for establishing circles of trust between identity and service providers
  • Mapping of 3GPP subscriber identities (IMPI/IMPU) into federated identity protocols

Evolution Across Releases

Rel-8 Initial

Initial adoption and profiling of Liberty Alliance Identity Federation Framework (ID-FF) for 3GPP systems. Specified in TS 33.980, it defined how 3GPP networks act as Identity Providers, using Liberty protocols to enable SSO for IMS and other IP-based services accessed via non-3GPP networks like Wi-Fi.

TS 33.980
Rel-9

Maintenance and potential clarifications to the Liberty ID-FF profiling. Integration with enhanced IMS service access scenarios and alignment with ongoing 3GPP security architecture work for EPS.

TS 33.980
Rel-10

Continued support and maintenance. The specifications began to note the industry migration towards SAML 2.0, which subsumed many Liberty ID-FF concepts. 3GPP work started to evolve towards Generic Bootstrapping Architecture (GBA) and other native 3GPP authentication mechanisms for web services.

TS 33.980
Rel-11/12/13

The Liberty Alliance specifications in 3GPP entered a maintenance phase with minimal changes. The industry-standard identity federation moved decisively to SAML 2.0 and later OAuth 2.0 / OpenID Connect. 3GPP's own mechanisms, like GBA and 5G authentication, became the primary focus for service access security.

TS 33.980
Rel-14 onwards

TS 33.980 remains as a historical reference. Active development and new features for federated identity in 3GPP are addressed through other specifications, leveraging modern protocols. The LAP work is considered a foundational but legacy component of 3GPP's identity management history.

TS 33.980

Defining Specifications

SpecificationTitle
TS 33.980 3GPP TR 33.980