Security Token Service Universal User document
To ensure that an incoming token can be converted properly into an outgoing token containing the content and format required by the partner, Security Verify Access creates an intermediate document in a generic XML format that holds identity information. This document is called the STS Universal User or STSUU. The STSUU document contains three sections:
- Principal information
- Group information
- Attribute information
To create the STSUU document, ISAM uses an XML schema that specifies the structure. The schema is defined in the file stsuuser.xsd. The following code sample contains the entire contents of the secure token service universal user XML schema.
<?xml version="1.0" encoding="UTF-8"?> <xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" targetNamespace="urn:ibm:names:ITFIM:1.0:stsuuser" xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" elementFormDefault="qualified"> <xsd:element name="STSUniversalUser"> <xsd:complexType> <xsd:sequence> <xsd:element name="Principal" type="stsuuser:PrincipalType" minOccurs="1" maxOccurs="1"/> <xsd:element name="GroupList" type="stsuuser:GroupListType" minOccurs="0" maxOccurs="1"/> <xsd:element name="AttributeList" type="stsuuser:AttributeListType" minOccurs="0" maxOccurs="1"/> <xsd:element name="RequestSecurityToken" type="stsuuser:RequestSecurityTokenType" minOccurs="0" maxOccurs="1"/> </xsd:sequence> <xsd:attribute name="version" type="xsd:string" use="required"/> </xsd:complexType> </xsd:element> <xsd:complexType name="PrincipalType"> <xsd:sequence> <xsd:element name="Attribute" type="stsuuser:AttributeType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="RequestSecurityTokenType"> <xsd:sequence> <xsd:element name="Attribute" type="stsuuser:AttributeType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="AttributeType"> <xsd:sequence> <xsd:element name="Value" type="xsd:string" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="name" type="xsd:string" use="required"/> <xsd:attribute name="type" type="xsd:string" use="optional" /> <xsd:attribute name="nickname" type="xsd:string" use="optional" /> <xsd:attribute name="preferEncryption" type="xsd:boolean" use="optional" /> </xsd:complexType> <xsd:complexType name="AttributeListType"> <xsd:sequence> <xsd:element name="Attribute" type="stsuuser:AttributeType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="GroupListType"> <xsd:sequence> <xsd:element name="Group" type="stsuuser:GroupType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> </xsd:complexType> <xsd:complexType name="GroupType"> <xsd:sequence> <xsd:element name="Attribute" type="stsuuser:AttributeType" minOccurs="0" maxOccurs="unbounded"/> </xsd:sequence> <xsd:attribute name="name" type="xsd:string" use="required" /> <xsd:attribute name="type" type="xsd:string" use="optional" /> </xsd:complexType> </xsd:schema>Although the schema is used as the base for all STSUU documents, the exact information contained in any specific STSUU document is dependent on the token type for the security token used as input. The information required in an STSUU document after transformation by identity mapping depends on:
- The token type to be generated.
- The specific mapping rule being used for the conversion.
During token processing for a typical single sign-on configuration, two STSUUs are created. One is an input STSUU, created from the original input token. The other is an output STSUU, created after the identity mapping rules are applied.
To view the Javadoc for the STSUU:
- Log in to the local management interface and go to...
System > File Downloads > federation > doc > ISAM-javadoc.zip
- Download and decompress the compressed file. View the API for com.tivoli.am.fim.trustserver.sts.user.
Parent topic: STS Universal User module