Invoking an ISVA STS chain from mapping rule

Suggest Edits

Invoking an ISVA STS chain from mapping rule

IBM Security Verify Access provides a rich set of STS modules that are used for token transformation. To be able to use the STS chains that run on an external ISVA instance, a set of STS Client helper classes are introduced in Verify Access OIDC Provider mapping rules.

Mapping rule snippet

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient);
importClass(Packages.com.ibm.security.access.HttpClient);


let payload = STSClient.createSOAPRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate","issuer/stsuu/stsuu","appliesto/stsuu/stsuu",'<stsuu:STSUniversalUser xmlns:stsuu="urn:ibm:names:ITFIM:1.0:stsuuser"><stsuu:Principal><stsuu:Attribute name="name" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuu:Value>testuser</stsuu:Value></stsuu:Attribute> </stsuu:Principal><stsuu:AttributeList><stsuu:Attribute name="technicalId"><stsuu:Value>testuser</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="authenticationMeanId"><stsuu:Value>07</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="dacLevel"><stsuu:Value>3</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="user-agent"><stsuu:Value>httpclient/SMA-Test</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="ip-address"><stsuu:Value>10.9.181.1</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="requestorType"><stsuu:Value>Internal_application</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="xLogId"><stsuu:Value>810989854427658437</stsuu:Value></stsuu:Attribute></stsuu:AttributeList></stsuu:STSUniversalUser>');


var url = 'https://isam.myidp.ibm.com/TrustServerWST13/services/RequestSecurityToken'
var headers = new Headers();
headers.addHeader('Content-Type','application/xml');

var responsePost = HttpClientV2.httpPost(url, headers, payload, "rt_profile", "easuser", "Passw0rd", null, null, null, null, null, null, null); 

IDMappingExtUtils.traceString("STSChain Response HTTP Status Code: " + responsePost.getCode
if(responsePost.getCode() == 200){
    IDMappingExtUtils.traceString("STSChain Response Body : " + responsePost.getBody());
    let stsResponse = STSClient.processResponse(responsePost.getBody())
    IDMappingExtUtils.traceString("STSChain Response Code : " + stsResponse.statusCode);
    IDMappingExtUtils.traceString("STSChain Response Token : " + stsResponse.responseToken);
}
  • Two helper classes exist STSClient.createSOAPRequest and STSClient.processResponse.
  • The helper classes build the STS Request and consume the STS Response.
  • The HttpClientV2.httpPost is used to make the STS call.
  • To invoke the previous mapping rule snippet, add it into pretoken or posttoken mapping rule

For further details about the STSClient helpers, seehere.

Updated 6 months ago