SSOS

SSO Service

Services
Introduced in Rel-8
SSO Service (SSOS) refers to the specific service offering or capability that implements Single Sign-On functionality within a 3GPP network. It represents the concrete realization of the SSO framework, providing the infrastructure and interfaces for authentication and authorization. It enables operators to deploy and manage SSO as a distinct service for users and applications.

Description

The SSO Service (SSOS) is the operational instantiation of the Single Sign-On (SSO) concept within a 3GPP system. It encompasses the complete set of network functions, protocols, and interfaces required to deliver SSO as a usable service to subscribers and third-party service providers. While SSO defines the architectural principles, SSOS refers to the deployable service that executes those principles. It acts as the intermediary that brokers trust between the user's identity provider (typically the home network) and the various service providers (SPs) the user wishes to access.

Technically, the SSOS is implemented through dedicated functional elements, often collocated with or integrated into existing network nodes. A core component is the SSO Service Function, which includes the logic for session management, token generation (using standards like SAML or OpenID Connect), and policy enforcement. It interfaces with the authentication infrastructure, such as the Home Subscriber Server (HSS) or Unified Data Management (UDM), to verify user credentials. It also exposes standardized interfaces (e.g., based on Diameter or HTTP/2) for service providers to request authentication and validate tokens.

The service works by intercepting access requests to protected services. When an unauthenticated request arrives, the SSOS redirects the user agent to an authentication portal. After successful authentication (e.g., via SIM, password, or biometrics), the SSOS creates a secure session and issues a cryptographic token. This token is then used to seamlessly access other services without re-authentication, as the SSOS validates the token for each subsequent request. The service manages the entire lifecycle, including token expiration, renewal, and revocation.

Key to the SSOS is its role in service federation. It maintains a trust relationship with external SPs, often established through pre-shared certificates or dynamic discovery protocols. The SSOS also handles user consent, logging, and auditing to meet regulatory requirements. In a 5G context, the SSOS may be implemented as a network function within the Service-Based Architecture (SBA), interacting with the Network Repository Function (NRF) for discovery and the Security Edge Protection Proxy (SEPP) for inter-network security.

Purpose & Motivation

The SSO Service was created to provide a standardized, operable service layer for Single Sign-On, moving beyond theoretical frameworks to practical deployment. While SSO specifications defined the 'what,' SSOS addresses the 'how' by detailing the service characteristics, operational procedures, and management aspects. It solves the problem of inconsistent and proprietary SSO implementations that hindered interoperability between different network operators and service providers.

Prior to its specification, operators developing SSO capabilities faced ambiguity in implementation details, leading to fragmented user experiences and increased integration costs for application developers. The SSOS provides a clear blueprint for building a compliant SSO service, ensuring that all necessary components—like token formats, error handling, and charging interfaces—are consistently implemented. This enables a marketplace of interoperable services where users can leverage their mobile identity across a wide ecosystem.

Motivated by the commercial need to monetize network authentication assets, SSOS allows operators to offer SSO as a value-added service to enterprises and content providers. It facilitates new business models, such as identity-as-a-service. By standardizing the service, 3GPP ensured that security and privacy controls are uniformly applied, protecting user data across federated environments. It essentially turns the SSO security framework into a billable, manageable network service.

Key Features

  • Operational service implementation of the SSO framework
  • Standardized interfaces for service provider integration and token validation
  • Comprehensive session and token lifecycle management (issuance, refresh, revocation)
  • Integration with network authentication systems (HSS/UDM, AUSF)
  • Support for federated identity and trust management with external domains
  • Charging and policy enforcement capabilities for commercial service offerings

Evolution Across Releases

Rel-8 Initial

Introduced the SSO Service (SSOS) as a distinct service concept, building upon the Rel-7 SSO framework. Defined the initial service architecture, specifying the functional entities required to offer SSO as a managed service. Established basic service primitives and operational requirements.

TS 33.980
Rel-9

Enhanced the SSOS with support for a wider range of authentication methods and improved service discovery mechanisms. Added capabilities for service-level agreements (SLAs) between identity and service providers.

TS 33.980
Rel-10

Aligned the SSOS more closely with web service standards, improving interoperability for RESTful APIs. Introduced enhanced logging and auditing functions for compliance.

TS 33.980
Rel-11

Extended SSOS to support machine-to-machine (M2M) service access, defining lightweight protocols for device authentication. Added features for bulk token management.

TS 33.980
Rel-12

Focused on scalability enhancements for the SSOS, supporting massive numbers of concurrent sessions. Improved fault tolerance and redundancy mechanisms for high availability.

TS 33.980
Rel-13

Integrated SSOS with network virtualization, defining how the service can be deployed as virtualized network functions (VNFs). Added support for dynamic service scaling.

TS 33.980
Rel-14

Enhanced the SSOS with advanced privacy features, such as selective attribute disclosure to service providers. Improved user consent management interfaces.

TS 33.980
Rel-15

Adapted the SSOS for the 5G Service-Based Architecture (SBA), defining it as a consumable service within the 5G core. Specified interactions with the NRF and SEPP.

TS 33.980
Rel-16

Extended SSOS capabilities to support network slicing, allowing different slices to have dedicated or shared SSO service instances. Enhanced support for vertical industry requirements.

TS 33.980
Rel-17

Further refined SSOS for edge computing deployments, enabling low-latency authentication at the network edge. Improved integration with application functions (AFs).

TS 33.980
Rel-18

Continued evolution for 5G-Advanced, exploring integration of the SSOS with AI-driven security analytics for anomaly detection in authentication patterns.

TS 33.980
Rel-19

Finalized enhancements for the mature 5G ecosystem, focusing on operational efficiency and interoperability testing profiles for the SSOS. Worked on sunsetting legacy interfaces.

TS 33.980

Defining Specifications

SpecificationTitle
TS 33.980 3GPP TR 33.980