LECP

Liberty-Enabled Client or Proxy

Security
Introduced in Rel-8
A LECP is a functional entity defined within the Liberty Alliance Project (LAP) framework for federated identity management. In 3GPP, it is referenced in the context of interworking between 3GPP networks and external IP-based service networks that use LAP protocols for authentication and single sign-on.

Description

The Liberty-Enabled Client or Proxy (LECP) is a concept adopted from the Liberty Alliance Project (LAP) specifications into certain 3GPP standards, primarily those dealing with network interworking and access to IP-based services (e.g., WLAN interworking). A LECP is not a 3GPP-native network function but a role that a user equipment (UE) or an intermediate network node can assume when interacting with a service provider that uses Liberty Alliance protocols. Its primary function is to participate in federated identity transactions, enabling Single Sign-On (SSO) and identity federation across different administrative domains.

Architecturally, a LECP operates as an agent for the end-user. It could be a software component on the UE (a 'client') or a network-based entity (a 'proxy') that handles the Liberty protocols on behalf of a simpler client. In a typical Liberty transaction, the LECP interacts with an Identity Provider (IdP) and a Service Provider (SP). It facilitates the exchange of authentication assertions (using Security Assertion Markup Language - SAML) and manages artifacts and cookies required for the SSO session. For example, in a 3GPP-WLAN interworking scenario defined in TS 33.980, the UE (acting as a LECP) might use Liberty protocols to access a corporate IP network after having been authenticated by the 3GPP network, which acts as the IdP.

How it works involves a multi-step process. First, the user authenticates to their home 3GPP network. When attempting to access a Liberty-enabled service, the LECP on the UE redirects the user agent to the Liberty IdP (which could be the 3GPP network). After re-authentication (often transparent via SSO), the IdP issues a SAML assertion. The LECP then presents this assertion to the target Service Provider to gain access. The key components involved are the LECP itself, the Liberty IdP, the Liberty SP, and the underlying protocols like Liberty ID-FF (Identity Federation Framework) and SAML. In 3GPP, its role is to provide a standardized method for integrating 3GPP authentication credentials (like SIM-based auth) into a broader ecosystem of web and IP services that use federated identity standards, thereby extending the reach and convenience of 3GPP authentication.

Purpose & Motivation

The purpose of referencing the LECP in 3GPP specifications was to enable seamless and secure access for 3GPP subscribers to third-party IP-based services and corporate networks, particularly during the era of WLAN interworking and early convergence between cellular and internet services. Before such standardization, accessing a web service often required a separate username and password, unrelated to the user's mobile identity. The LECP concept, via the Liberty Alliance framework, aimed to solve this by allowing the 3GPP network to act as a trusted Identity Provider, leveraging its robust authentication mechanism (e.g., using the SIM card) to vouch for the user to external Service Providers.

This addressed significant limitations: it improved user experience through Single Sign-On, reduced password fatigue, and enhanced security by utilizing strong network authentication. For network operators, it created a value-added service, allowing them to broker trust relationships with content and enterprise service providers. The motivation for its inclusion in 3GPP (around Rel-8) coincided with efforts to make 3GPP systems more open and interoperable with the broader internet identity ecosystem, which at the time was exploring federation standards like those from Liberty Alliance and later OASIS SAML.

Furthermore, defining the LECP role provided a clear architectural placeholder and set of procedures for how a UE or network proxy should behave in a Liberty transaction. This ensured interoperability between 3GPP-enabled devices and Liberty-enabled service networks. While the specific Liberty Alliance protocols have been largely superseded by later standards like OpenID Connect, the LECP represents an important historical step in 3GPP's journey towards federated identity and access management for non-3GPP access.

Key Features

  • Functional role defined by the Liberty Alliance Project (LAP) for federated identity
  • Can be implemented as a client on the User Equipment or as a network-based proxy
  • Facilitates Single Sign-On (SSO) using Liberty ID-FF and SAML protocols
  • Interacts with a Liberty Identity Provider (IdP) and Service Provider (SP)
  • Enables use of 3GPP authentication credentials to access external IP services
  • Referenced in 3GPP for WLAN interworking and access to IP-based service networks

Evolution Across Releases

Rel-8 Initial

Introduced and defined within TS 33.980, which specifies the Liberty Alliance-based interworking for network-driven authentication. Established the LECP as a key entity in the architecture for enabling 3GPP subscribers to access Liberty-enabled service networks using federated identity protocols, detailing its interactions with the 3GPP AAA server acting as an Identity Provider.

TS 33.980

Defining Specifications

SpecificationTitle
TS 33.980 3GPP TR 33.980