ETSI MSS Mobile PKI - SSO
This document describes the overall architecture related to ETSI MSS.
ETSI MSS comprises the architectural components and dependency systems listed in the following table:
Component | DESCRIPTION |
|---|---|
SSO Server | The SSO server product against which the User authenticates |
Authentication Server (UAS) | A component of SSO server. Some configuration changes are applied specifically to this component or its files. |
Mobile PKI method (MPKI) | An SSO Server method that handles sending and receiving of ETSI MSS requests to MSSP. Conforms to ETSI TS 102 204 standard |
Security Assertion Markup Language Service Provider (SAML SP) | A SAML-based service provider configured to intercept authentication requests on behalf of a web application server |
Mobile Signature Service Provider (MSSP) | Mobile Phone Operator's service that supports sending SMS authentication requests and returning responses to SSO for verification. Conforms to ETSI TS 102 204 standard |
Web application | A web application integrated to SSO by using SAML SP. |
Mobile phone | User's mobile phone. |
Browser | User's compatible web browser. |
Basic Login Sequence
This section describes ETSI MSS login sequence in simple terms.
Figure 1 Presents a simplified ETSI MSS login sequence:
Figure 1 Simplified ETSI MSS login sequence |
The following steps describe the sequence presented in Figure 1.
User initiates authentication process using a web browser
SSO Server prompts for user's mobile phone number and an optional misuse prevention code, and sends the authentication request to a MSSP (mobile operator).
MSSP sends the request to User's mobile phone.
User signs the request and sends the signature back to the MSSP.
MSSP sends the signature with user's certificate back to SSO Server where the signature is verified.
Detailed Login Sequence Diagram
Figure 2 presents the login sequence in more detail:
Figure 2 Detailed login sequence |
Limitations
Here are listed the known limitations related to ETSI MSS.
Only asynchronous messaging mode is supported
The only supported signature profile is authentication
Refer to MSS FiCom Implementation guideline 2.2 for an explanation of the terms.