Invoking an ISVA STS chain from mapping rule
Invoking an ISVA STS chain from mapping rule
IBM Security Verify Access provides a rich set of STS modules that are used for token transformation. To be able to use the STS chains that run on an external ISVA instance, a set of STS Client helper classes are introduced in Verify Access OIDC Provider mapping rules.
Mapping rule snippet
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient);
importClass(Packages.com.ibm.security.access.HttpClient);
let payload = STSClient.createSOAPRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate","issuer/stsuu/stsuu","appliesto/stsuu/stsuu",'<stsuu:STSUniversalUser xmlns:stsuu="urn:ibm:names:ITFIM:1.0:stsuuser"><stsuu:Principal><stsuu:Attribute name="name" type="urn:ibm:names:ITFIM:5.1:accessmanager"><stsuu:Value>testuser</stsuu:Value></stsuu:Attribute> </stsuu:Principal><stsuu:AttributeList><stsuu:Attribute name="technicalId"><stsuu:Value>testuser</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="authenticationMeanId"><stsuu:Value>07</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="dacLevel"><stsuu:Value>3</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="user-agent"><stsuu:Value>httpclient/SMA-Test</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="ip-address"><stsuu:Value>10.9.181.1</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="requestorType"><stsuu:Value>Internal_application</stsuu:Value></stsuu:Attribute><stsuu:Attribute name="xLogId"><stsuu:Value>810989854427658437</stsuu:Value></stsuu:Attribute></stsuu:AttributeList></stsuu:STSUniversalUser>');
var url = 'https://isam.myidp.ibm.com/TrustServerWST13/services/RequestSecurityToken'
var headers = new Headers();
headers.addHeader('Content-Type','application/xml');
var responsePost = HttpClientV2.httpPost(url, headers, payload, "rt_profile", "easuser", "Passw0rd", null, null, null, null, null, null, null);
IDMappingExtUtils.traceString("STSChain Response HTTP Status Code: " + responsePost.getCode
if(responsePost.getCode() == 200){
IDMappingExtUtils.traceString("STSChain Response Body : " + responsePost.getBody());
let stsResponse = STSClient.processResponse(responsePost.getBody())
IDMappingExtUtils.traceString("STSChain Response Code : " + stsResponse.statusCode);
IDMappingExtUtils.traceString("STSChain Response Token : " + stsResponse.responseToken);
}
- Two helper classes exist STSClient.createSOAPRequest and STSClient.processResponse.
- The helper classes build the STS Request and consume the STS Response.
- The HttpClientV2.httpPost is used to make the STS call.
- To invoke the previous mapping rule snippet, add it into pretoken or posttoken mapping rule
For further details about the STSClient helpers, seehere.
Updated about 1 year ago