The user authentication is instantiated by a shared secret, one in the smartcard, for example a SIM card inside the mobile phone and the other is on the HLR/HSS.
GBA authenticates by making a network component challenge the smartcard and verify that the answer is the one predicted by the HLR/HSS.
For example, it could be implemented on SimpleSAMLPhP http://rnd.feide.no/simplesamlphp Archived 2008-12-19 at the Wayback Machine with 500 PHP lines of code and only a few tens of lines of code are Service Provider specific making it really easy to port it to another Web site.
This can be done by either setting up a pre-defined HSS to BSF, or by querying the Subscriber Locator Function (SLF).
NAFs recover the key session of BSF during the Zn [5] interface, which also uses the diameter at the base Protocol.