SUCI stands for Subscription Concealed Identifier and SUPI stands for Subscription Permanent Identifier. Both the identifiers come under the 5G security context. UE and network (AMF/SEAF) both are responsible to establish secure connection. Initially when UE wants to register with network, it sends "Registration Request" message. The Registration request message contains many information elements (IEs) including 5GS mobile identity IE which contains either SUCI/5G-GUTI/IMEI.
After receiving the registration request message from the UE, AMF/SEAF prepares "Authentication Initiation Request" (5G-AIR) message to AUSF. SEAF also includes the serving network name into the 5G-AIR message. AUSF sits at the home network while SEAF will be part of serving network.
AUSF acts as back end security server. After receiving 5G-AIR message from SEAF, AUSF prepares "Auth-Info-Req" message and sends to UDM/ARPF. UDM/ARPF first generates an authentication vector with Authentication Management Field (AMF) separation bit = 1. The UDM/ARPF then compute CK' and IK'. After that ARPF sends (RAND, AUTN, XRES, CK', IK') to the AUSF using the Auth-Info-Rsp message.
AUSF responds to SEAF by sending 5G-AIA message which in turn includes EAP-Request/AKA'-Challenge message. SEAF transparently forwards the EAP-Request/AKA'-Challenge message to the UE in a NAS message Auth-Req message.
After getting response from the UE for the Auth-Req message sent previously, SEAF forwards the EAP Response to the AUSF and AUSF validates the same with the stored information. In case of successful verification, AUSF sends EAP-SUCCESS and Anchor key to SEAF and then SEAF responds to UE with EAP-SUCCESS.
If AUSF received SUCI from SEAF when the authentication was initiated, then the AUSF also includes the SUPI while sending EAP-SUCCESS message as mentioned above.
I mentioned the use of SUCI and SUPI with respect to security context. Hope it will help you somewhat.