• Add a Comment
  • Edit
  • More Actions v
  • Quarantine this Entry

Comments (6)

1 Murali Krishna Thota Sri Jaganatha commented Permalink

Can we use Tivoli Access Manager Authorization Module for authorization when configuring a SAML federation (Browser POST profile)?

2 Shane Weeden commented Permalink

Murali - you certainly could, but what do you want to "authorize" in the case of a SAML Browser-POST operation?

3 Eric Wood commented Permalink

Hi Shane,

I like where this is heading but I'm wondering if there's a way to simplify the configuration if everything is deployed on the same STS.
What I'd like to do is set up a module that pulls attributes into the STSUU from a database, then applies the XSL transform. It looks like this could be accomplished by using a Delegator module of {database map, default-map} but it doesn't seem to offer me the ability to upload the XSL file anywhere.

4 SHANE WEEDEN commented Permalink

Couple of comments Eric.

First, we are likely to phase out XSL for mapping altogether in favour of javascript, so I wouldn't continue to invest heavily in XSL for identity mapping. The main reason for this is precisely what you have suggested - calling external code (Java) is easier and more logical from javascript and less prone to issues with changing XSL runtimes (we've seen issues with this).
That leaves you with a couple of choices. You can code you database interaction as a separate TFIM (osgi) plugin and call that from a single javascript mapping rule which is configured in a federation, or (and I prefer this second option), just code what you would have done in an XSL/Javascript mapping module directly into the same pure-java mapping module where you've got your database interaction. You can use GUIXML / config to selectively handle any optional mapping on a per-partner basis.

5 Eric Wood commented Permalink

Thanks, Shane.

I like the second option as well, and I think that's what we'll do.
I was unaware that you can call java from the javascript module in TFIM. Is there an example of how javascript could call out to an STS module? Just to have another trick up my sleeve is useful.

6 SHANE WEEDEN commented Permalink

To call java from a javascript mapping rule you write your java code in a TFIM (osgi) plugin jar. This is the same technique as writing an STS module, however you just aren't implementing an extension point. Update the MANIFEST.MF to export the packages you want to be able to access from javascript. For example:

Export-Package: com.ibm.demo
The plug-in jar file is deployed in the normal manner by copying to <fim install="install" root="root">/plugins and using the admin console to deploy plugins.
Then in your javascript mapping rule, you import the package at the top of the javascript, and can then access it. For example:
var myObj = new MyDemoClass();

Add a Comment Add a Comment