SIM-S

SEAL Identity Management Server

Security →
Introduced in Rel-16

SIM-S is the SEAL Identity Management Server, a network-based component that issues, verifies, and manages decentralized identities and verifiable credentials, acting as a trust anchor between issuers, holders, and verifiers.

Category
Security
Introduced
Rel-16
Where
Services
Specifications
2 specs
SIM-S Description Purpose Related Classification Detected Changes Specifications

Description

The SEAL Identity Management Server (SIM-S) is a server-side functional entity specified within the 3GPP SEAL architecture for the Identity Management Enabler. It is typically deployed within a network operator's domain or a trusted third-party domain at the edge or in the cloud. The SIM-S provides identity management services to SEAL Identity Management Clients (SIM-Cs) and other SEAL enablers. Its core function is to support operations related to Decentralized Identifiers (DIDs) and Verifiable Credentials (VCs) as defined by W3C and adapted within the 3GPP framework.

Architecturally, the SIM-S may implement several roles from the VC model, such as a Verifiable Data Registry (a trusted system for recording DIDs and their associated public keys), a DID Resolver (a service that fetches DID documents from a registry), or a trusted intermediary between issuers and holders. It exposes northbound and southbound APIs. Southbound, it communicates with SIM-Cs using RESTful APIs over secure channels (e.g., TLS with mutual authentication). Northbound, it may interface with credential issuers (e.g., an operator's backend that issues subscription credentials), other SIM-S instances, or verifiers (edge application servers). The SIM-S maintains necessary trust anchors, such as public keys of trusted issuers or root certificates for DID methods.

How it works involves mediating key identity lifecycle events. For issuance, an issuer (like a mobile operator) can instruct the SIM-S to create a DID and issue a corresponding verifiable credential for a subscriber/device. The SIM-S may manage the DID on a registry and then deliver the credential to the subscriber's SIM-C. For verification, when an edge service (a verifier) needs to check a credential presented by a SIM-C, it may query the SIM-S to resolve the relevant DID, fetch the issuer's public keys, or validate the credential's status (e.g., check for revocation). The SIM-S performs these checks based on its configured trust relationships and returns the verification result. It thus offloads complex trust management and cryptographic verification logic from lightweight edge verifiers and provides a centralized point of policy enforcement for identity within the SEAL ecosystem. It enables scalable and interoperable trust across different administrative domains in edge computing.

Purpose & Motivation

The SIM-S was created to provide a standardized, network-hosted authority for managing modern decentralized identities within the 5G service enabler architecture. As edge computing proliferates, services require a way to verify user/device attributes quickly and locally without constant referral to the central core network. Traditional HSS/UDM-centric authentication is not designed for fine-grained, attribute-based authentication to third-party edge applications.

It solves the problem of trust brokerage in a fragmented edge environment. Without a SIM-S, each edge application provider would need to establish direct trust relationships with every potential identity issuer (e.g., every mobile operator), which is impractical. The SIM-S acts as a trusted intermediary that applications can query. For operators, it provides a controlled way to extend the trust of the mobile subscription into the edge domain by issuing and managing verifiable credentials derived from that subscription.

The motivation stems from enabling secure and privacy-respecting service access for new 5G verticals. By adopting W3C-standard models for verifiable credentials, SIM-S facilitates interoperability with broader digital identity ecosystems outside telecom. It allows users to prove specific claims (e.g., "over 18," "has premium subscription") to edge services without revealing their full identity (IMSI/SUPI), supporting privacy-by-design principles. Its creation formalizes the operator's role as an identity provider in the edge computing value chain, opening new revenue streams and enhancing service security.

Classification

Part ofSEAL
Related approachesSIM-C

Detected Changes Across Releases

from 3GPP Change Requests

Specific changes extracted from the „Change history“ tables of 3GPP specifications (14 CRs across 3 releases). Complements the general historical overview above with the evidence-based evolution of this function.

Rel-16 4 changes

In Release 16, the specification introduced new procedures for the SEAL Identity Management Server (SIM-S) to support user authentication and token exchange. Specifically, the SIM-S was updated to handle the User Authentication Server procedure and the Token Exchange Server procedure. These updates define the server's role in validating OIDC Authentication Requests and generating OIDC Token Responses over secure TLS connections.

  • Updates to User Authentication Client (SIM-C) procedure TS 24.547CR0001
  • Updates to User Authentication Server (SIM-S) procedure TS 24.547CR0002
  • Updates to Token Exchange Client (SIM-C) procedure TS 24.547CR0003
  • Updates to Token Exchange Server (SIM-S) procedure TS 24.547CR0004
Rel-17 8 changes

In Release 17, key enhancements for the SIM-S included the introduction of a CoAP-based authentication procedure alongside the existing HTTP method, and the profiling of the ACE framework for these CoAP interfaces. The release also focused on updating security provisions specifically for the SEAL-S and SEAL-UU interfaces within the identity management system. These updates provided a more constrained-protocol alternative for device authentication and refined the overall security architecture.

  • SEAL IM FE requirements TS 24.547CR0008
  • Security for CoAP interfaces in SEAL TS 33.434CR0004
  • Updating SEAL-S security TS 33.434CR0005
  • Updating SEAL-UU security TS 33.434CR0006
  • Profiling ACE in SEAL TS 33.434CR0007
  • Correcting the implementation of approved S3-214431 to SEAL TS 33.434 TS 33.434CR0008

+ 2 more changes

Rel-18 2 changes

In Release 18, the new specifications for the SIM-S introduced security aspects for the SEAL Data Delivery enabler and defined SEAL security for network domain interfaces. These additions provided a formal security framework for the procedures between the SEAL identity management client and server, which are based on TLS tunnels and OIDC token exchanges as outlined in the foundational architecture.

  • Add security aspect of SEAL Data Delivery enabler TS 33.434CR0015
  • SEAL security for network domain interfaces TS 33.434CR0016

Explore further

Broader topics and technologies where SIM-S plays a role.

Topics
Authentication (5G-AKA, EAP)IMS & Voice (VoLTE, VoNR)Encryption & IntegrityMEC (Edge Computing)Privacy (SUPI, SUCI)Lawful Intercept
Technologies
5G

Defining Specifications

3GPP specifications that define or reference SIM-S, with the latest known release. Sourced from the 3GPP document catalog — see methodology.

SpecificationTitleRelease
TS 24.547 vj00 SEAL Identity Management Protocol Rel-19
TS 33.434 vj00 Security aspects of SEAL for verticals Rel-19