Abstract: Systems and methods for enabling Authentication and Key Management for Applications (AKMA) key diversity for multiple applications are disclosed herein. In one embodiment, an AKMA client of a wireless device determines a root key (KAKMA) and an AKMA key identifier (A-KID) based on primary authentication with a telecommunications network. The AKMA client receives an application identifier (APP-ID) and an application function (AF) identifier (AF-ID) from an application of the wireless device. The AKMA client verifies APP-ID, and verifies that the application is entitled to use AF-ID. If successful, an application key (KAPP) is derived based on KAKMA. AF-ID, and APP-ID. Optionally, the AKMA client encrypts APP-ID and outputs A-KID. KAPP, and the encrypted APP-ID to the application, and the application sends a session establishment request to an AF, the session establishment request comprising A-KID and the encrypted APP-ID.

Abstract: There is provided a method for handling a first response to a first service request. The method is performed by a first service communication proxy (SCR) node that is configured to operate as an SCR between a first network function (NF) node of a service consumer and one or more groups of second NF nodes of one or more service producers. In response to receiving the first response to the first service request, transmission of a second response to the first service request is initiated (102) towards the first NF node. The first service request is a request for a first service, requested by the first NF node, to be provided. The first response is received from a second NF node that is selected to provide the first service and the second response comprises information indicative of which group of the one or more groups comprises the second NF node.

Abstract: Embodiments described herein relate to methods and apparatuses for registering one or more services that a producer network function is capable of providing at a network repository function and allowing for the access of those services by consumer network functions. A method in a producer network function comprises transmitting a registration request to the NRF, wherein the registration request comprises registration information comprising: an indication of the one or more services; and an indication of resources and operations associated with each resource of the one or more services that are allowed per network function consumer type.

Abstract: There is provided mechanisms for attachment of a wireless device to an MNO. A method is performed by the wireless device. The method comprises providing an authorization token to an AMF node of the MNO in conjunction with authenticating with the AMF node. The method comprises completing attachment to the MNO upon successful validation of the authorization token by the AMF node.

Abstract: A method for a user equipment (UE) configured to communicate with an application function (AF) via a communication network is provided. The method comprises sending, to the AF, an application service request including: a second identifier (GPSI) specific to one or more applications, including an application associated with the UE and the AF; and information (app-info) associated with the second identifier and descriptive of the one or more applications. The method further comprises authenticating the AF based on an application-specific key (KAF) derived from a security key (KAKMA) associated with the UE; and receiving, from the AF, an application service response indicating whether the second identifier (GPSI) matches a corresponding second identifier (GPSI*) derived from the information associated with the second identifier.

Abstract: An authentication server (10A) is configured for use in a home network (10H) of a wireless device (12). The authentication server (10A) generates expected integrity protection data for checking an integrity of a set of one or more information fields (22) contained in a transparent container (20) that acknowledges successful reception by the wireless device (12) of device configuration data (14) from the home network (10H). The authentication server (10A) checks, or assists a core network node (16H) in the home network (10H) to check, the integrity of the set of one or more information fields (22) using the expected integrity protection data.

Abstract: A method for an access and mobility management function (AMF) of a communication network is provided. The method comprises determining that a stored status for a user equipment (UE) of network-slice-specific authentication and authorization (NSSAA) with respect to a first network slice of the communication network indicates that a new NSSAA should be executed, wherein the first network slice is associated with a first identifier; and in response to a subsequent UE request to register with the communication network, sending the UE a registration accept that includes an indication that another NSSAA procedure with respect to the first network slice should be executed.

Abstract: A method performed by a first node implementing a first NF in a visited network (VPLMN) for communicating with a third node implementing a second NF in a home network (HPLMN) is provided. Embodiments include: determining that the third node should be communicated with; sending, towards a second node implementing a Security Edge Protection Proxy (SEPP) in the visited network, a request for a telescopic FQDN for the third node in the home network to be used by the first node in the visited network to communicate with the third node in the home network, which request comprises a FQDN of the third node in the home network; receiving, from the second node, a telescopic FQDN for the third node wherein the FQDN for the third node in the home network is flattened to a single label to be used by the first node to communicate with the third node.

Abstract: A network node in a home network, HN, of a wireless device assigns a different priority to each of one or more parameter sets in a priority list. Each parameter set comprises one or more parameters used for calculating the subscription identifier. The network node provides the wireless device with the priority list to facilitate the calculation of the subscription identifier by the wireless device. The wireless device obtains the priority list, and calculates the subscription identifier using a null parameter set or one of the one or more parameter sets in the priority list selected responsive to the defined priorities. The wireless device then informs the HN of the subscription of the wireless device by sending the calculated subscription identifier to the network node.

Abstract: The present disclosure provides methods for event subscription management in a network comprising a set of NF nodes, and corresponding NF nodes. The method implemented at a first NF node includes receiving a subscription request of an event for a user equipment, UE, from a third NF node; transmitting, to a second NF node that serves the UE, a subscription report request for the event for the UE; receiving, from a fourth NF node that currently serves the UE, a UE registration request for the UE, including an indication indicating whether the UE is in a restricted service area; and determining whether to transmit a notification for the event to the third NF node based on the UE registration request. The present disclosure further discloses a corresponding method implemented at the second NF node. The present disclosure further provides corresponding computer readable medium.

Abstract: Network equipment in a wireless communication network is configured to receive at least a portion of a subscription concealed identifier, SUCI, for a subscriber. The SUCI contains a concealed subscription permanent identifier, SUPI, for the subscriber. The received at least a portion of the SUCI indicates a sub-domain code, SDC. The SDC indicates a certain sub-domain, from among multiple sub-domains of a home network of the subscriber, to which the subscriber is assigned. The network equipment is also configured to determine, based on the SDC and from among multiple instances of a provider network function in the home network respectively allocated to provide a service to be consumed for subscribers assigned to different sub-domains, an instance of the provider network function to provide the service to be consumed for the subscriber.

Abstract: A method for an authentication server function, AUSF, of a communication network is provided. The method comprises sending a second authentication request comprising a first identifier associated with a user equipment, UE, or a second identifier associated with the UE, receiving a response to the second authentication request, and when the response comprises an 5 authentication and key management for applications, AKMA, indicator: determining a first security key identifier based on a first field comprised in the response.

Abstract: The present disclosure provides methods, entities, and computer readable media for non-3GPP access authentication. The method (1600) at a protocol translation entity includes: receiving (S1601), from a Non-3GPP access point, an authentication request message of a first protocol type for a UE that includes an identity of the UE; translating (S1603) the authentication request message of the first protocol type to a corresponding authentication request message of a second protocol type; and transmitting (S1605), to an entity for authentication, the corresponding authentication request message of a second protocol type that includes the identity of the UE.

Abstract: A network node operates a Session Management Function (SMF) in a control plane of a core network of a wireless network. The network node authenticates a User Equipment (UE) with an Extensible Authentication Protocol (EAP) server in a secondary authentication process that uses the SMF as an EAP authenticator. The EAP server is outside of the core network and the UE is separately authenticated with a further network node in the control plane of the core network via a primary authentication process. Authenticating the UE in the secondary authentication process comprises exchanging EAP messages between the SMF and the UE and between the SMF and the EAP server. The SMF authorizes a data session between the UE and the external network through a user plane of the core network based on the UE having successfully authenticated via both the primary authentication process and the secondary authentication process.

Abstract: A network node (500, 600) in a home network, HN, of a wireless device (10, 300, 400) assigns a different priority to each of one or more parameter sets in a priority list. Each parameter set comprises one or more parameters used for calculating the subscription identifier. The network node (500, 600) provides the wireless device (10, 300, 400) with the priority list to facilitate the calculation of the subscription identifier by the wireless device (10, 300, 400). The wireless device (10, 300, 400) obtains the priority list, and calculates the subscription identifier using a null parameter set or one of the one or more parameter sets in the priority list selected responsive to the defined priorities. The wireless device (10, 300, 400) then informs the HN of the subscription of the wireless device (10, 300, 400) by sending the calculated subscription identifier to the network node (500, 600).

Abstract: A UE is assigned a first server for session control of the session. The first IMS node sends a request to a subscriber server associated with the UE. The request requests assistance data for selecting a second server to be assigned to the UE for the session control. The first IMS node selects a second server to be assigned to the UE for session control, based on the requested assistance data. The first IMS node sends an invitation to the selected second server. The invitation includes an indication indicating that the selected second server is selected to replace the first server. The indication triggers the selected second server, to indicate to the subscriber server to register the address of the selected second server in the subscriber server, to replace the first server in being assigned to the UE for the session control.

Abstract: The present specification faces the issues of selecting a right 5G Network Function, NF, instance in scenarios wherein NF instances are considered NF segments that manage different sets of users and wherein NF segmentation is not based on SUPI ranges. To solve these issues, there is provided a new procedure for accessing an NF segment, wherein registration and discovery of the right NF segment is based on a Routing Indicator, and wherein the Routing Indicator, which is received with a Subscription Concealed Identifier (SUCI) identifying a UE, is included in any interaction between 5GC NFs.

Abstract: A method for discovering services in a telecommunication network provided by a network function, NF, in a Service Based Architecture, SBA, based telecommunication network, said method comprising the steps of receiving a discovery request, from a Network function, NF, consumer, for discovering an NF producer to interact with, wherein said discovery request comprises a Mobile Station International Subscriber Directory Number, MSISDN, associated with said NF consumer, transmitting to an address translate server, an address translate query, wherein said address translate query comprises said MSISDN, receiving an address translate response, wherein said address translate response comprises a Universal Resource Identifier, URI, and transmitting, to said NF, a discovery response, wherein said discovery response comprises an NF producer instance for interaction with said NF.

Abstract: A method by an AUSF of a home PLMN configured to communicate through an interface with electronic devices is provided. A first authentication request is received from a first PLMN that is authenticating an electronic device. A first security key used for integrity protection of messages delivered from the home PLMN to the electronic device is obtained. A second authentication request is received from a second PLMN that is authenticating the electronic device. A second security key used for integrity protection of the messages delivered from the home PLMN to the electronic device is obtained. A message protection request is received. Which of the first security key and the second security key is a latest security key is determined. The latest security key is used to protect a message associated with the message protection request.

Abstract: The present disclosure provides a method for a first network element in a communication network to perform service subscriptions for a UE. The method includes: in response to receiving a request comprising service subscription information for the UE from a second network element serving the UE and assisting in the service, cross referencing the service subscription information for the UE in the request with stored service subscription information for the UE for consistency; and in response to being not consistent, initiating updating of service subscriptions for the UE in the second network element according to the stored service subscription information for the UE. Corresponding devices, computer readable storage medium, carrier, etc. are also provided.