STSClient Helper

STSClient Helper

Use this utility to build and process an STS chain WS-Trust request and response.

Use the utility with the HTTPClient to invoke an ISVA STS endpoint.

To use this utility, add the following line at the beginning of your JavaScript:

importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient);

1. Building a STS chain WS-Trust request

  let payload = STSClient.createSOAPRequest("RequestType","Issuer","AppliesTo","Base","TokenType");
NameData typeRequiredDescription
RequestTypestringYesWS-trust request type
IssuerstringYesSTS Chain issuer
AppliesTostringYesSTS Chain appliesto
BasestringYesBase token
TokenTypestringNoToken type is used invoke the STS chain

Example

let payload = STSClient.createSOAPRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate","issuer/stsuu/stsuu","appliesto/stsuu/stsuu",'<stsuu:STSUniversalUser xmlns:stsuu="urn:ibm:names:ITFIM:1.0:stsuuser"><stsuu:Principal><stsuu:Attribute name="name" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuu:Value>FAMC01C</stsuu:Value></stsuu:Attribute> </stsuu:Principal><stsuu:AttributeList><stsuu:Attribute name="technicalId"><stsuu:Value>FAMC01C</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="authenticationMeanId"><stsuu:Value>07</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="dacLevel"><stsuu:Value>3</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="user-agent"><stsuu:Value>httpclient/SMA-Test</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="ip-address"><stsuu:Value>10.9.181.1</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="requestorType"><stsuu:Value>Internal_application</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="xLogId"><stsuu:Value>810989854427658437</stsuu:Value></stsuu:Attribute></stsuu:AttributeList></stsuu:STSUniversalUser>','http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken')

2. Process a STS chain WS-Trust response

  importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
  importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient);
  importClass(Packages.com.ibm.security.access.HttpClient);


  let payload = STSClient.createSOAPRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate","issuer/stsuu/stsuu","appliesto/stsuu/stsuu",'<stsuu:STSUniversalUser xmlns:stsuu="urn:ibm:names:ITFIM:1.0:stsuuser"><stsuu:Principal><stsuu:Attribute name="name" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuu:Value>FAMC01C</stsuu:Value></stsuu:Attribute> </stsuu:Principal><stsuu:AttributeList><stsuu:Attribute name="technicalId"><stsuu:Value>FAMC01C</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="authenticationMeanId"><stsuu:Value>07</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="dacLevel"><stsuu:Value>3</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="user-agent"><stsuu:Value>httpclient/SMA-Test</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="ip-address"><stsuu:Value>10.9.181.1</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="requestorType"><stsuu:Value>Internal_application</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="xLogId"><stsuu:Value>810989854427658437</stsuu:Value></stsuu:Attribute></stsuu:AttributeList></stsuu:STSUniversalUser>','http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#UsernameToken')


  var url = 'https://isam.myidp.ibm.com/TrustServerWST13/services/RequestSecurityToken'
  var headers = new Headers();
  headers.addHeader('Content-Type','application/xml');

  var responsePost = HttpClientV2.httpPost(url, headers, payload, "rt_profile", "easuser", "Passw0rd", null, null, null, null, null, null, null); 
  if(responsePost.getCode() == 200){
      IDMappingExtUtils.traceString("STSChain Response Body : " + responsePost.getBody());
      let stsResponse = STSClient.processResponse(responsePost.getBody())
      IDMappingExtUtils.traceString("STSChain Response Code : " + stsResponse.statusCode);
      IDMappingExtUtils.traceString("STSChain Response Token : " + stsResponse.responseToken);
  }
  • STSClient.processResponse consumes the HTTP response body as a parameter and processes it.
  • It provides the statusCode and responseToken from the STS response.

Example logs from the above mapping rule snippet

ristretto-ristretto-1              | getStatus : http://schemas.xmlsoap.org/ws/2005/02/trust/status/valid
ristretto-ristretto-1              | getresponseToken : <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.
...
stsuuser:STSUniversalUser>