Description
SAML is a protocol that uses XML documents called assertions to convey security information. In the 3GPP context, it is profiled to enable federated identity and single sign-on across administrative domains, such as between a mobile network operator (acting as the Identity Provider - IdP) and a third-party application or service provider (SP). The core components are the Principal (the user), the IdP (which authenticates the user and generates assertions), and the SP (which relies on the IdP's assertion to grant access). The protocol flow typically involves a redirect through the user's browser. When a user attempts to access a service at the SP, the SP generates a SAML authentication request and redirects the user to the IdP. The IdP authenticates the user (often using the network's authentication mechanisms like SIM-based authentication) and then creates a SAML response containing an assertion. This assertion, which is digitally signed by the IdP, contains statements about the user's authentication status, attributes (like subscriber ID), and authorization decisions.
The SAML response is sent back to the user's browser, which posts it to the SP's assertion consumer service endpoint. The SP validates the IdP's signature and the assertion's conditions (e.g., timestamps, intended audience). Upon successful validation, the SP establishes a local session for the user and grants access to the requested service without requiring a separate login. This decouples the service logic from the authentication mechanism. 3GPP's specification TS 33.980 defines a specific profile of SAML 2.0 for use in the IP Multimedia Subsystem (IMS) and other network services. It details how SAML bindings (like HTTP Redirect and POST) are used, how to map 3GPP subscriber identifiers into SAML attributes, and how to integrate with the 3GPP Authentication and Key Agreement (AKA) framework.
This integration allows for powerful use cases, such as a subscriber using their mobile network identity to seamlessly log into a partner video streaming service or an enterprise application, leveraging the strong, SIM-based authentication of the mobile network. The SP trusts the operator's IdP, creating a federated trust domain that simplifies the user experience and enhances security by centralizing authentication at a strong, trusted entity.
Purpose & Motivation
SAML was adopted by 3GPP to solve the problem of identity federation and streamlined access to services across different trust domains. As mobile networks evolved into service platforms, there was a growing need for subscribers to access a wide array of third-party applications (e.g., cloud services, content portals) without managing numerous separate usernames and passwords. Traditional methods required the service provider to handle authentication directly, which could be less secure and create a poor user experience.
The primary purpose of profiling SAML within 3GPP was to leverage the operator's strong authentication assets (the SIM card and the home network) as a universal identity credential. This enables Single Sign-On (SSO), where a user authenticated once by their home network can access multiple external services. It addresses limitations like password fatigue, weak authentication at service providers, and the complexity of provisioning user accounts across multiple services. For operators, it creates a new value proposition by allowing them to act as an Identity Broker. For service providers, it offloads the complex task of secure authentication to a specialized, trusted party. This federated model, standardized via SAML, is foundational for enabling secure, user-friendly access to IMS-based services and partnerships in a multi-vendor, multi-operator ecosystem.
Key Features
- XML-Based Assertions: Uses structured XML documents to communicate authentication, attribute, and authorization decisions.
- Single Sign-On (SSO): Enables users to authenticate once with their home network and access multiple federated services without re-login.
- Federated Identity Management: Establishes trust between an Identity Provider (IdP - the operator) and Service Providers (SPs).
- Strong Authentication Leverage: Allows third-party SPs to rely on the operator's strong authentication mechanisms (e.g., 3GPP AKA, SIM-based).
- Standardized Bindings and Profiles: 3GPP TS 33.980 defines specific SAML 2.0 bindings (HTTP Redirect/POST) and profiles for telecom use.
- Digital Signatures: SAML assertions are digitally signed by the IdP, ensuring integrity and authenticity of the security information.
Evolution Across Releases
SAML 2.0 was initially profiled in Release 8 within TS 33.980 to provide a standardized framework for federated identity and single sign-on. This established the architecture for using the mobile network operator as an Identity Provider (IdP), enabling subscribers to access third-party Service Providers (SPs) using their network authentication.
Defining Specifications
| Specification | Title |
|---|---|
| TS 33.980 | 3GPP TR 33.980 |