IBM Tivoli Federated Identity Manager, Version 6.2.2

Use of XSL language for creating mapping rules files

The identity mapping module uses the Java™ API for XML Parsing (JAXP) to transform the input document. The transformation is done based on XSL stylesheet that you specify in an XSL file.

XSL is a language that can be used to transform and format documents. XSL is used to define style sheets for HTML and to format XML data, so that it can be shown in a web browser. Part of the XSL standard defines transformations for moving data from one form to another. The transformation language can include conditional statements, variables, and callouts to Java programs.

The trust service uses XSL to create mapping rules. The mapping rules created specify how to transform an input STS universal user document into an output STS universal user document. The output STS universal user document is used as input to the next module in the chain. This module is often used to generate an output token, but it can also be another mapping module. The XSL parser processes XSL documents by looking for matching templates. When a template is found, the contents of the template are processed.

The main tasks that are performed in mapping rules are:

Moving identity information between elements.
Reformatting existing identity information.
Adding new elements with new identity information.
Removing unwanted identity information.

You can use the IBM® Rational® Application Developer tool set to run an XSL debugger from a command line. Use the developer tool set to test your XSL code without running the trust service.

Tivoli® Federated Identity Manager provides two sets of sample identity mapping files. The first set shows the minimum contents of each type of mapping, while the second set does advanced functionality that is used in the demonstration application.

The location of the basic mapping files is:

/opt/IBM/FIM/examples/mapping_rules/

The following table lists the example mapping rules files.

Table 1. Example mapping rules
File name	Mapping description
ip_liberty.xsl	Maps a Tivoli Access Manager credential or a local user identity to a Liberty token.
ip_saml_1x.xsl	Maps a local user identity to a SAML 1.0 or SAML 1.1 token.
ip_saml_20.xsl	Uses a token to maps a local user identity to a SAML 2.0 token.
ip_saml_20_email_nameid.xsl	Uses the email address of the user for the identity without an alias, to map a local user identity to a SAML 2.0 token .
ip_wsfederation.xsl	Maps a Tivoli Access Manager credential or a local user identity to a SAML token.
ip_infocard.xsl	Maps an incoming token or a local user identity to a SAML 1.1 token. The primary purpose of this rule is to populate the requested claims attributes with values.
ip_openid.xsl	Maps an IVCred token or a local user identity to a Security Token Service Universal User (STSUU) token. The primary purpose of this rule is to populate requested attributes (SREG and AX) and to act on requested PAPE policies.
rp_infocard.xsl	Maps a SAML 1.1 token or a local user identity to an IVCred token.
sp_liberty.xsl	Maps a Liberty token to a Tivoli Access Manager credential or a local user identity.
sp_saml_20.xsl	Maps a SAML 2.0 token to a local user identity.
sp_saml_1x.xsl	Maps a SAML 1.0 or 1.1 token to a local user identity.
sp_saml_1x_ext.xsl	Maps a SAML 1.0 or 1.1 token to a local user identity and verifies that the authentication method is an acceptable one. It demonstrates that the service provider can require the authentication at identity provider to be at a certain level. In this mapping rule, password authentication is not accepted. It produces an error if password authentication was used.
sp_wsfederation.xsl	Maps a SAML token to a Tivoli Access Manager credential or a local user identity.
sp_tagvalue.xsl	Maps a SAML token to a Tivoli Access Manager IV Cred credential with WebSEAL tag/value attributes or a local user identity.
username_ivcred.xsl	Maps a Username token to a Tivoli Access Manager credential or a local user identity.
sp_oauth_10.xsl	Supports OAuth 1.0 flow.
sp_oauth_20.xsl	Supports OAuth 2.0 flow.

Note: For more information about the sample mapping rules for each protocol, see the protocol-specific configuration instructions in this guide.

The demonstration application provides sample XSL identity mapping rules files. These files expand upon the minimal mapping rules described in the preceding table to perform mapping that is customized for the user accounts. The demonstration application configuration scripts create the user accounts.

The location of the sample mapping scripts for the demonstration application is:

/opt/IBM/FIM/examples/demo/demo_rules/

Note: The file names are the same as the minimal mapping rules, but the files are located in different directories.

The sample mapping files are automatically installed during installation.

The following table lists the files for each federation type on each provider type.

Table 2. Sample mapping rules files for the demonstration application
Provider	Federation Type	Mapping rule file
Identity Provider	Liberty	`ip_liberty.xsl`
	SAML 1.0	`ip_saml_10.xsl`
	SAML 1.1	`ip_saml_11.xsl`
	SAML 2.0	`ip_saml_20.xsl`
	WS-Federation	`ip_wsfederation.xsl`
	Information Card	`ip_openid.xsl`
	OpenID	`ip_infocard.xsl`
Service Provider	Liberty	`sp_liberty.xsl`
	SAML 1.0 or 1.1	`sp_saml_1x.xsl`
	SAML 2.0	`sp_saml_20.xsl`
	WS-Federation	`sp_wsfederation.xsl`
	Information Card	`rp_infocard.xsl`
	OpenID	`sp_openid.xsl`
	OAuth 1.0	`sp_oauth_10.xsl`
	OAuth 2.0	`sp_oauth_20.xsl`

Feedback