ETSI GS INS 003 V1.1.1 (2010-11)

Group Specification
Identity and access management for Networks and Services;
Distributed User Profile Management;
Using Network Operator as Identity Broker

2 ETSI GS INS 003 V1.1.1 (2010-11)

Reference
DGS/INS-003
Keywords
access, ID, manegement, network, profile,
service
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - NAF 742 C
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° 7803/88

Important notice
Individual copies of the present document can be downloaded from:
http://www.etsi.org
The present document may be made available in more than one electronic version or in print. In any case of existing or
perceived difference in contents between such versions, the reference version is the Portable Document Format (PDF).
In case of dispute, the reference shall be the printing on ETSI printers of the PDF version kept on a specific network drive
within ETSI Secretariat.
Users of the present document should be aware that the document may be subject to revision or change of status.
Information on the current status of this and other ETSI documents is available at
http://portal.etsi.org/tb/status/status.asp
If you find errors in the present document, please send your comment to one of the following services:
http://portal.etsi.org/chaircor/ETSI_support.asp
Copyright Notification
No part may be reproduced except as authorized by written permission.
The copyright and the foregoing restriction extend to reproduction in all media.

© European Telecommunications Standards Institute 2010.
All rights reserved.
TM TM TM TM
DECT , PLUGTESTS , UMTS , TIPHON , the TIPHON logo and the ETSI logo are Trade Marks of ETSI registered
for the benefit of its Members.
TM
3GPP is a Trade Mark of ETSI registered for the benefit of its Members and of the 3GPP Organizational Partners.
LTE™ is a Trade Mark of ETSI currently being registered
for the benefit of its Members and of the 3GPP Organizational Partners.
GSM® and the GSM logo are Trade Marks registered and owned by the GSM Association.
ETSI
3 ETSI GS INS 003 V1.1.1 (2010-11)
Contents
Intellectual Property Rights . 5
Foreword . 5
1 Scope . 6
2 References . 6
2.1 Normative references . 6
2.2 Informative references . 6
3 Definitions and abbreviations . 7
3.1 Definitions . 7
3.2 Abbreviations . 8
4 User Profile Management in Cross-Domain Cases . 8
4.1 Current Landscape . 9
4.1.1 OASIS SAML . 9
4.1.2 Liberty Alliance ID-WSF and DST . 10
4.1.3 OpenID Attribute Exchange . 11
4.1.4 3GPP GUP and UDC . 11
4.1.4.1 Generic User Profile . 11
4.1.4.1.1 General Architecture . 11
4.1.4.1.2 GUP Server . 11
4.1.4.1.3 Repository Access Function (RAF) . 12
4.1.4.1.4 Applications . 12
4.1.4.2 3GPP User Data Convergence . 13
4.1.4.2.1 Entities . 13
4.1.4.2.2 Message Types . 14
4.1.5 OMA GSSM, SUPM, NGSI . 14
4.1.6 ETSI STF 342 . 14
4.2 Problem Statement . 15
4.3 Potential Network Operator Role . 15
5 Use Cases . 15
5.1 My personal profile service . 15
5.1.1 Short Description . 15
5.1.2 Actors . 16
5.1.2.1 Actor Specific Issues . 16
5.1.2.2 Actor Specific Benefits . 16
5.1.3 Pre-conditions . 16
5.1.4 Post-conditions . 17
5.1.5 Normal Flow . 17
5.1.6 Alternative Flow 1: Updates the data with selected services . 18
5.1.7 Alternative Flow 2: MyPersonal Portal Service with Identity Provider storing data . 19
5.2 Use Case 2: Web Shop usage without subscription . 19
5.2.1 Short Description . 19
5.2.2 Actors . 19
5.2.2.1 Actor Specific Issues . 20
5.2.2.2 Actor Specific Benefits . 20
5.2.3 Pre-conditions . 20
5.2.4 Post-conditions . 21
5.2.5 Normal Flow . 21
5.2.6 Alternative Flow 1: Video Purchase with Federation . 22
5.3 Use Case 2-b: Web Shop usage with subscription . 22
5.3.1 Short Description . 22
5.3.2 Actors . 23
5.3.2.1 Actor Specific Issues . 23
5.3.2.2 Actor Specific Benefits . 23
5.3.3 Pre-conditions . 23
ETSI
4 ETSI GS INS 003 V1.1.1 (2010-11)
5.3.4 Post-conditions . 24
5.3.5 Normal Flow . 24
5.3.6 Alternative Flow 1: Video Purchase with User's interruption. 25
5.4 Profile updates from individual services . 25
5.4.1 Short Description . 25
5.4.2 Actors . 26
5.4.2.1 Actor Specific Issues . 26
5.4.2.2 Actor Specific Benefits . 26
5.4.3 Pre-conditions . 26
5.4.4 Post-conditions . 27
5.4.5 Normal Flow . 27
5.4.6 Alternative Flow 1: Updates the data according to the pre-define rules . 28
5.4.7 Alternative Flow 2: Updates the data with User's interruption . 29
5.5 User identity attribute sharing between operator/ISP and web enterprise . 29
5.5.1 Description . 29
5.5.2 Actors . 29
5.5.2.1 Actors specific Issues. 30
5.5.2.2 Actors specific benefits . 30
5.5.3 Pre-Condition . 30
5.5.4 Post-Condition . 30
5.5.5 Normative Flow . 30
6 Requirements . 31
6.1 User . 31
6.2 Service Provider . 31
6.2.1 As provider of user profile . 31
6.2.2 As consumer of user profile . 31
6.3 Identity Broker . 31
7 Technical Details . 32
7.1 Architecture . 32
7.2 Components . 33
7.3 Interfaces: Interface between User Profile Consumer (and User) and Identity Broker . 33
7.4 Interface between Identity Broker and User Profile Provider . 33
7.5 Accessing Protocol . 34
7.5.1 DST usage . 34
7.5.2 SAML-DST . 35
7.6 User Profile Schema . 35
8 Conclusion . 35
Annex A (informative): Authors and contributors . 36
History . 37

ETSI
5 ETSI GS INS 003 V1.1.1 (2010-11)
Intellectual Property Rights
IPRs essential or potentially essential to the present document may have been declared to ETSI. The information
pertaining to these essential IPRs, if any, is publicly available for ETSI members and non-members, and can be found
in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to ETSI in
respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the ETSI Web
server (http://webapp.etsi.org/IPR/home.asp).
Pursuant to the ETSI IPR Policy, no investigation, including IPR searches, has been carried out by ETSI. No guarantee
can be given as to the existence of other IPRs not referenced in ETSI SR 000 314 (or the updates on the ETSI Web
server) which are, or may be, or may become, essential to the present document.
Foreword
This Group Specification (GS) has been produced by ETSI Industry Specification (ISG) Identity and access
management for Networks and Services (INS).
ETSI
6 ETSI GS INS 003 V1.1.1 (2010-11)
1 Scope
The present document analyses the telecommunication operator's role acting as Identity Broker to facilitate the anchor
functionalities for the management of distributed user profile information, which is currently handled in an ad-hoc or
proprietary way without standardized way. The present document also defines the protocol specifying the procedure to
access to the user profile information via Identity Broker, the extensible user profile data model as core and the user
profile data model for the telecommunication area, to be standardized.
2 References
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
reference document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found at
http://docbox.etsi.org/Reference.
NOTE: While any hyperlinks included in this clause were valid at the time of publication ETSI cannot guarantee
their long term validity.
2.1 Normative references
The following referenced documents are necessary for the application of the present document.
[1] Liberty Alliance Data Services Template v2.1.
NOTE: Available at http://www.projectliberty.org/liberty/content/download/879/6213/file/liberty-idwsf-dst-
v2.1.pdf.
[2] OASIS Security Services (SAML) TC.
NOTE: Available at http://www.oasis-open.org/committees/security/.
2.2 Informative references
The following referenced documents are not necessary for the application of the present document but they assist the
user with regard to a particular subject area.
[i.1] ETSI TR 122 985: "Universal Mobile Telecommunications System (UMTS); Service requirements
for the User Data Convergence (UDC) (3GPP TR 22.985)".
[i.2] ETSI TS 123 335: "Universal Mobile Telecommunications System (UMTS); LTE; User Data
Convergence (UDC); Technical realization and information flows; Stage 2 (3GPP TS 23.335)".
[i.3] ETSI TS 129 240 (V8.0.0): "Universal Mobile Telecommunications System (UMTS); LTE;
3GPP Generic User Profile (GUP); Stage 3; Network (3GPP TS 29.240 version 8.0.0 Release 8)".
[i.4] ETSI TS 129 335: "Digital cellular telecommunications system (Phase 2+); Universal Mobile
Telecommunications System (UMTS); LTE; User Data Convergence (UDC); User data repository
access protocol over the Ud interface; Stage 3 (3GPP TS 29.335)".
[i.5] Liberty ID-WSF Web Services Framework Overview.
NOTE: Available at http://www.projectliberty.org/liberty/content/download/889/6243/file/liberty-idwsf-
overview-v2.0.pdf.
[i.6] OpenID.
NOTE: Available at http://openid.net/.
ETSI
7 ETSI GS INS 003 V1.1.1 (2010-11)
[i.7] Open Mobile Alliance.
NOTE: Available at http://www.openmobilealliance.org/.
[i.8] Open Mobile Alliance™, OMA-ERP-GSSM-V1-0: "OMA General Service Subscription
Management".
NOTE: Available at http://www.openmobilealliance.org/.
[i.9] Open Mobile Alliance™, OMA-RD-SUPM-V1-0: "Service User Profile Management
Architecture".
NOTE: Available at http://www.openmobilealliance.org/.
[i.10] Open Mobile Alliance™, OMA-ERP-NGSI-V1_0: "OMA Next Generation Service Interfaces".
NOTE: Available at http://www.openmobilealliance.org/.
[i.11] ETSI EG 202 325 (V1.1.1): "Human Factors (HF); User Profile Management".
[i.12] ETSI ES 202 746 (V1.1.1): "Human Factors (HF); Personalization and User Profile Management;
User Profile Preferences and Information".
[i.13] ETSI TS 102 747 (V1.1.1): "Human Factors (HF); Personalization and User Profile Management;
Architectural Framework".
[i.14] Schema for Open ID Exchange (AX Schema).
NOTE: Available at http://www.axschema.org/.
[i.15] Organization for the Advancement of Structured Information Standards.
NOTE: Available at http://www.oasis-open.org/.
[i.16] ETSI GS INS 002: " Identity and Access Management for Networks and Services; Distributed
Access Control for Telecommunications; Use Cases and Requirements".
[i.17] ETSI GS INS 001: "Identity and access management for Networks and Services; IdM Inter-
operability between Operators or ISPs with Enterprise".
3 Definitions and abbreviations
3.1 Definitions
For the purposes of the present document, the following terms and definitions apply:
circle of trust: federation of service providers and identity providers that have business relationships based on Liberty
(or similar) architecture, and operational agreements, with whom users can transact business in a secure and seamless
environment
identity broker: Service Provider that receives requests for Identity information from another Service Provider and
subsequently requests that information from other Provider(s)
NOTE: The Identity Broker aggregates the data and responds to the originating Service Provider.
ETSI
8 ETSI GS INS 003 V1.1.1 (2010-11)
3.2 Abbreviations
For the purposes of the present document, the following abbreviations apply:
AX Attribute Exchange
CRUD Create Read Update and Delete
DTS Data Services Template
FE Front Ends
GSSM General Service Subscription Management
GUP Generic User Profile
HLR Home Location Register
HSS Home Subscriber Server
IdP Identity Provider
ID-WSF Identity Web Services Framework
NGSI Next Generation Service Interface
OASIS Organisation for the Advancement of Structured Information Standards
OMA Open Mobile Alliance
OSS Operation Support System
RAF Repository Access Function
SAML Security Assertion Markup Language
SOAP Simple Object Access Protocol
SUPM Service User Profile Management
UDC User Data Convergence
UDR User Data Repository
UML Unified Modeling Language
VOD Video-On-Demand
XML Extensible Markup Language
4 User Profile Management in Cross-Domain Cases
Today, the user profile information is stored / managed / used at different service providers fully distributed.
Application service provider needs to retrieve profiles of a user from different attribute providers in order to perform
personalized services to that user. At the same time, users want to manage their distributed profile in an easy yet privacy
protected way. To fulfil these requirements, there are needs for the anchor point for accessing all the user profile
information by users and service providers, and this anchor point must have sufficient trust both by users and
application service providers.
The involvement of trusted Identity Provider as this anchor point is straightforward approach for distributed user profile
management. The user profile information is already maintained at Identity Provider as attribute, where the standards
for the attribute exchange mechanism already exists, which and should be extendable to the fully distributed user profile
cases.
These trusted Identity Providers are considered as telecommunication operators. Many of the telecommunication
operators already serve as Identity Providers, have trust relationship with their users, and have secure network
infrastructure, which provide secure and privacy protected way of accessing data, technically and socially, thus
considered as suitable for the anchor point of the distributed user profile management.
Thus, this work item proposes for the study and standardization of the distributed user profile management by extending
the Identity Provider, where the Identity provider is considered as telecommunication operator, taken both the business
and technical aspects into consideration.
This clause provides the overview of the existing standard works relevant to the distributed user profile management,
identifies the problems/missing points to realize the distributed user profile management in cross-domain cases and
proposes the approach to address those points.
ETSI
9 ETSI GS INS 003 V1.1.1 (2010-11)
4.1 Current Landscape
4.1.1 OASIS SAML
SAML [2] is an XML-based framework for communicating user authentication, authorisation, and attribute information
developed by the Organization for the Advancement of Structured Information Standards (OASIS) [i.15]. SAML allows
business entities to make assertions regarding the identity, attributes, and entitlements of a subject (an entity that is
often a human user) to other entities, such as a partner company or another enterprise application. Thus, SAML can be
considered as the transport protocol standard for federated identity management. SAML supports federation in multiple
ways and focuses on the mapping of attributes into a uniform namespace and the secure, reliable transport of assertions.
SAML is defined in terms of assertions, protocols, bindings, and profiles.
An assertion is a package of information that supplies one or more statements made by a SAML authority. The
protocols define the procedure to request for assertions, authentication, identifier registration/de-registration and
mappings, and logouts. The bindings describe the integration of SAML into HTTP or SOAP. The profiles define
constraints and extensions in support of the usage of SAML for a particular application.
The SAML protocol allows different identity management solutions to communicate with each other, providing
platform neutrality, loose coupling of directories and linking of identities with respect to the user's privacy. It provides
communication mechanisms required for single sign-on with distributed identity data, including user profile. The user
can be authenticated by its identity provider, while the authorisation of his login takes place at the service provider.
SAML assertions are usually transferred from identity providers to service providers. Assertions contain statements that
service providers use to make access control decisions. Three types of statements are provided by SAML:
• authentication statements;
• attribute statements; and
• authorisation decision statements.
Authentication statements assert to the service provider that the principal did indeed authenticate with the identity
provider at a particular time using a particular method of authentication. The authentication context may be disclosed in
an authentication statement. An attribute statement asserts that a subject is associated with certain attributes to be used
for access control decisions by the service provider. An authorisation decision statement asserts that a subject is
permitted to perform an action on a certain resource.
SAML request
Requestor
SAML Response
SAML Authority (Issuer)
SAML Assertion
Authentication Authentication
Statement Authority
Attribute Attribute
Statement Authority
Authorization
Policy Decision
Decision
Policy
Point
Statement
Enforcement
Point
Figure 1: Overview of SAML framework
ETSI
10 ETSI GS INS 003 V1.1.1 (2010-11)
By definition, SAML can be used for exchanging attribute information and can be used as a base protocol for
exchanging distributed user profile data among entities.
4.1.2 Liberty Alliance ID-WSF and DST
Liberty ID-WSF Web Services Framework [i.5] defines a framework for identity-based web services in a federated
network identity environment, including attribute exchange mechanism. The ID-WSF Data Services Template [1]
provides the building blocks when implementing a data service on top of the ID-WSF.
The Data Services Template (DST) [1] is an XML-based protocol for the exchange and management of user
information that is distributed over several authorities. Additionally it provides mechanisms that allow a consumer of
user data to subscribe to changes of that data. The providing authority can then notify the consumer of such changes.
DST provides protocols for the creation, query, modification, and deletion (a.k.a. "CRUD") of data attributes, exposed
by a data service, related to a Principal. Some guidelines, common XML attributes and data types are defined for data
services.
A data service is a web service that supports the storage and update of specific data attributes regarding a Principal. A
data service might also expose dynamic data attributes regarding a Principal. Those dynamic attributes may not be
stored by an external entity, but the service knows or can dynamically generate their values. An example of a data
service would be a service that hosts and exposes a Principal's profile information (such as name, address and phone
number). An example of a data service exposing dynamic attributes is a geolocation service.
DST is supposed to be used as a template to support different services with necessary extensions for individual services.
The data services using the present document can also support other protocols in order to support to other features, such
as supporting actions (e.g. making reservations).
class Liberty-idwsf-dst-ref-v 2.1
ResponseType
string
«XSDcompl.
DeleteRespons e
«XSDsimple.
string
«XSDcompl.
«XSDextension» TestOpType
«XSDextension»
«XSDcompl.
+TestOp 0.1
AppDataType «XSDextension»
«XSDextension»
«XSDcomplexType»
«XSDtopLev. «XSDcompl. DeleteItemBaseType «XSDcompl.
ModifyItem
NewData Selec t SortType
«XSDcomplexT.
DeleteItem
0.1 0.1
0.1 «XSDattribute»
TestItemBaseType
+ ext_ref5: dst:ModifyItemAttributeGroup
«XSDcompl.
0.1 0.1 +Sort 0.1
1.* 1.*
TestItem
«XSDextension»
RequestType
0.*
«XSDcompl.
RequestType ResultQueryBaseType
Delete
«XSDcompl. «XSDcomplexTy.
«XSDcomplexType»
Modify ResultQuery
CreateItem 0.*
«XSDattribute»
0.*
+ ext_ref2: dst:CreateItemAttributeGroup
1.*
«XSDextension»
ResultQueryType
RequestType
RequestType «XSDcomplexType»
«XSDcompl.
QueryItem
«XSDcompl.
Query
0.*
Create
«XSDattribute»
+ ext_ref3: dst:PaginationAttributeGroup
ItemDataType
«XSDcomplexType»
«XSDcomplexType»
ItemData
Data
«XSDextension»
«XSDattribute»
«XSDattribute»
+ ext_ref6: dst:ItemDataAttributeGroup
0.*
+ ext_ref4: dst:PaginationResponseAttributeGroup
0.*
DataResponseBaseType
«XSDcomplexType»
DataResponseType
DataResponseBaseType
«XSDcomplexType»
QueryResponse
«XSDelement»
«XSDextension»«XSDextension»
+ ext_ref_1: TestResult [0.*]
«XSDcompl. «XSDcompl.
CreateResponse ModifyResponse
Figure 1a: DST structure in UML class diagram
ETSI
11 ETSI GS INS 003 V1.1.1 (2010-11)
4.1.3 OpenID Attribute Exchange
OpenID [i.6] is a user centric identity management solution. It allows a user to authenticate to a website using a URL.
The relying party, i.e. the site the user authenticates to, queries the asserting party for an authentication. The asserting
party is the Identity Provider that can provide a proof of authentication for the user.
The main advantage of OpenID is to allow a user to use a single password for multiple sites. It is light-weight and easy
to implement. It neither provides single-sign-on nor does it allow the usage of privacy-enhancing techniques such as
pseudonyms.
While OpenID deals primarily with the authentication of the user, an extension to support Attribute Exchange (AX) was
made part of core specification in OpenID2.0. This extension defines the information model, discovery and message
exchange for AX on top of OpenID. The protocol follows the same steps as in the Open ID base exchange and is
usually combined in a single run of the protocol where both the attributes and the authentication step is completed
simultaneously.
Since the base protocol does not specify a data schema to be used with OpenID AX, a community initiative called AX
Schema [i.14] has made a base schema which is widely used with OpenID AX.
4.1.4 3GPP GUP and UDC
4.1.4.1 Generic User Profile
The 3GPP Generic User Profile (GUP) [i.3] provides a conceptual description to enable a harmonized usage of user-
related information located in different entities and normally accessed through a variety of protocols. In short, GUP
provides a virtual, centralized, user database. GUP defines architecture, data description and interfaces along with
mechanisms to handle the data and is currently aligned with Liberty Alliance specifications.
4.1.4.1.1 General Architecture
Generally speaking GUP was defined by 3GPP to manage the user-centric data repository architecture. GUP's
architecture provides data description and interfaces with mechanisms to handle user's data. GUP architecture is
presented in Figure 2. The components of the architecture are described in the following clauses.

Figure 2: GUP Reference Architecture
4.1.4.1.2 GUP Server
GUP Server contains the metadata that holds the knowledge of the location of the data components and the different
data repositories. It also acts as a gatekeeper by authorizing or denying access to profile data. The GUP server either
operates in proxy mode (collects the requested data and provides it to the requestor), or in redirect mode (provides the
addresses of the respective data repositories to the requestor). It acts therefore as a data "federator" and offers a single
point of entry to the Operation Support System (OSS).
ETSI
12 ETSI GS INS 003 V1.1.1 (2010-11)
The user-centric data repository architecture may offer operators the possibility of facilitating the operations,
administration and maintenance of the network. This is achieved through:
• Single point of access to the user profile data of the operator's network.
• The architecture's applicability to all carriers: fixed, mobile, wireless and converged.
• Harmonized access interface.
• Authentication and Authorization of profile access.
• Privacy control.
• Synchronization of data storage.
• Access profile from visited networks.
• Location of profile components.
• Charging for profile access.
The requests from the operator or from a 3rd party application through the Rg interface can be authenticated in two
different schemes. The authentication can be done either by a separate (trusted) entity or based on the identification
(e.g. IMS Public Identity) of the requesting application and/or of the possible subscriber requesting the user profile data.
4.1.4.1.3 Repository Access Function (RAF)
The Repository Access Function (RAF) works as an abstraction that hides the implementation detail of the repositories
where the user's profile is stored. It performs protocol and data transformation where needed between the repositories
and the GUP. It could also take part in the authorization process regarding the data in the corresponding GUP data
repository. Examples of an GUP data repository is the HSS (Home Subscriber Server) or the HLR (Home Location
Register).
4.1.4.1.4 Applications
rd
GUP architecture provides support for both operator and 3 party applications. Operator can access directly RAF
elements using Rp interface. By using Rg interface, applications have a single point of contact to retrieve user's profile
information.
Figure 3: Example of the Mapping of GUP Architecture
ETSI
13 ETSI GS INS 003 V1.1.1 (2010-11)
4.1.4.2 3GPP User Data Convergence
User Data Convergence appears as a means to converge user data profile within the scope of 3GPP subscriber data [i.1],
[i.2], and [i.4]. It defines a middleware approach between the actual databases and the Application Front Ends which
make use of this data. It defines the protocol to be used for user subscriber data between the UDR, which abstract the
data storage, and the Application Front Ends which relate to the consumers and providers of this data.

UE, Core Network, Service Layer & OSS

Diameter based ref MAP based ref
Other ref points
UE ref points (e.g. OMA SIP based ref
points (e.g. Cx, Sh,
points (e.g. C, D,
DM based S14, Ut ) points
S6a/S6d) Gr)
UDC
Application(s) front end
Application(s) front end Application(s) front end
Ud
UDR
Figure 4: UDC reference architecture
4.1.4.2.1 Entities
4.1.4.2.1.1 Application Front End
Application Front Ends (FE) keep the application logic related to the data stored in UDC. The usual operations
performed by, for example, an HSS are now performed in an Application Front End with HSS functionality. The data is
first retrieved from the UDR and then processed here.
FEs may also provide interfaces to services or applications outside of the UDC scope.
4.1.4.2.1.2 Provisioning Front End
Similar to the previous case, the creation, update or removal of user data and/or subscriptions may also come from
outside UDC. In this case, a Provisioning Front End is a kind of FE which can create, delete, modify and retrieve user
data.
Provisioning may be associated to an application/implementation and may comprise semantic control specific to this
application. It may correspond to different types of provisioning FEs corresponding to different applications logics.
4.1.4.2.1.3 User Data Repository
The User Data Repository (UDR) is a functional entity that acts as a single logical repository of user data and is unique
from Application Front End's perspective. Entities which do not store user data and that need to access user data stored
in the UDR are collectively known as application front ends.
The UDR functional entity may be distributed over different locations or be centralized; it may support replication
mechanisms, back up functions and geographical redundancy to secure the storage of data.
ETSI
14 ETSI GS INS 003 V1.1.1 (2010-11)
4.1.4.2.2 Message Types
UDC defines 6 message types in an interface usually referred to as Ud:
• Querying data from the UDR.
• Creating data within the UDR.
• Deleting data from the UDR.
• Updating data within the UDR.
• Subscription to Notifications.
• Notification of data modification.
4.1.5 OMA GSSM, SUPM, NGSI
The Open Mobile Alliance (OMA) is an international organization, developing technical specifications for global
adoption of multimedia data services over the telecommunication network, which was originally targeting the mobile
network but has evolved to target the fixed network as well [i.7]. In OMA, there are several activities which are relevant
to the distributed user profile managements. Originally, GSSM (General Service Subscription Management) defines an
architecture and protocols to accessing user relevant data via GSSM and SUPM (Service User Profile Management)
defines data schema which are conveyed over GSSM, while SUPM also defines the protocols to fulfil new
requirements. NGSI (Next Generation Service Interface) is offering an application interface for enhanced
communication and also considers identity management.
As its name indicates, GSSM more focuses on the aspect of subscription data and provides the functionalities for
service subscription handling, service subscription validation and service subscription notification and
confirmation [i.8]. As user profile can be considered as part of subscription data, this mechanism can be used for user
profile management as well.
SUPM focuses on the data aspects of user profile and provides data model for a converged view [i.9]. SUPM is an
ongoing activity and the drafting of the architecture has just started. It may use GSSM as an underlying infrastructure
but it may define specific interface for it.
NGSI targets application interfaces to access network capabilities as well as to enhance existing communications
including Identity Control as one of the key functionalities [i.10]. NGSI version 1.0 provides specific functionalities to
manage the Identifiers and Pseudonyms being used to address a given Identity usually a user in the network operator
domain. This identifier could be used to access further information regarding this user. Different identifiers could be
used at services or towards other users, the functionality for resolving the identifiers is provided by NGSI and is
controlled through policies specified by the user.
While OMA work provides technologies for manipulating user relevant data stored at different places, it is still defined
to handle user relevant data inside a single network operator. Other cases are not excluded, but cross domain cases are
not explicitly defined.
4.1.6 ETSI STF 342
The Personalization and User Profile Management Standardization Specialist Task Force 342 has produced standards
that are necessary for the understanding of the user's preferences to offer an expected user experience. The STF 342 has
produced two ETSI deliverables as follows:
• Deliverable on standardized objects: ES 202 746 [i.12] is an ETSI Standard (ES) on standardized objects
(including settings, values and operations) related to personalization and user profile management, a rule
definition language for defining automatic activation of profiles and a common terminology. This deliverable
will describe objects related to a range of services and devices with the goal to suit all users' needs including
disabled, young and elderly people. The intended readers of this deliverable are service developers and device
manufacturers who wish to develop services and devices that can be personalized by their customers, as
defined by the user profile management concept described in EG 202 325 [i.11].
ETSI
15 ETSI GS INS 003 V1.1.1 (2010-11)
• Architectural framework: TS 102 747 [i.13] is a Technical Specification (TS) on issues related to networks,
terminals and SmartCards. The intended readers of this deliverable are profile providers, telecom companies
and device manufacturers who will implement and provide the underlying infrastructure and architecture of
network and devices necessary to achieve the user profile management concept described in
EG 202 325 [i.11].
4.2 Problem Statement
As described in clause 4.1, there are relevant technologies to exchange the user profiles stored distributed.
OASIS SAML and Liberty DST define the standard mechanism to exchange the information, which are used as
underlying technologies of some of the attempts to have standardized mechanism to manage the user profile distributed
by 3GPP and OMA. Those mechanisms provide the concepts of single access point. However, the existing attempts are
mainly t
...