Programming Security for Web Services

Web Services Interfaces

To develop web services clients, you use the Web Services Security Service Module (SSM) application programming interfaces (APIs) developed by BEA Systems.

These interfaces are described in the following sections:

• Registry Service Interface
• Methods Common to All Web Services Interfaces
• Authentication Service Interface on page 2-4
• Authorization Service Interface on page 2-11
• Auditing Service Interface on page 2-16
• Role Mapping Service Interface on page 2-18
• Credential Mapping Service Interface on page 2-20

 

---

Registry Service Interface

To map security service type and SSM configuration and SOAP endpoints, each Web Services SSM process has its own separate Registry Service. The address of the Registry Service should be known to the web services client from its configuration. This service maps the SSM Configuration ID and the service type to the Web Services SSM and SOAP endpoints for the security services. The Configuration ID is defined in the default.properties file for the SSM instance. The Registry Service makes it possible to distinguish between the supported service types (auditing, authentication, authorization, credential mapping, and role mapping). Registry Service operations on a particular machine are limited to the local machine (see Figure 2-1). The Web Services client learns about the Registry Service from its configuration file.

Figure 2-1 Registry Service Function

 

The following topics provide or more information on the Registry Service.

• How the Registry Service Works
• Registry Service Methods

How the Registry Service Works

The Registry Service works as follows (Figure 2-2):

Figure 2-2 How the Registry Service Works

 

If a web services client asks the Registry Service about the existence of a particular security service type, the Registry Service responds with a true or false answer.
If a web services client asks for the URL of a valid security service type for the local host, the Registry Service returns the fully qualified URL of the endpoint for the requested service type that is provided by the SSM configuration. The Configuration ID is defined in the default.properties file.
If a web services client asks the registry for a URL for a security service type that has an invalid security service type for Web Services SSM identified by the Configuration ID, the Registry Service returns a RegistryFailure SOAP Fault.

Note: The Registry Service does not provide lifecycle management functions for the Web Services.

For more information on the Registry Service interface and the methods it supports, see WSDLdocs for Web Services Interfaces.

Registry Service Methods

The Registry Service supports two methods: locateService() and doesServiceExist(). Both methods accept the requested service type of the Web Server SSM or Web Services SSM that provides the service. The supported service types are: ALES_AUDIT, ALES_AUTHENTICATION, ALES_AUTHORIZATION, ALES_CREDENTIAL, and ALES_ROLE. The type for all service types is string.

For the locateService() method, the Registry Service returns the fully qualified URL for the endpoint of the requested service. For the doesServiceExist() method, the service returns a Boolean value (true or false) that indicates whether the service exists and can be requested.

 

---

Methods Common to All Web Services Interfaces

The following methods are supported by all Web Services interfaces, except for the Registry Service interface.

• getServiceType()—This method takes an empty request and returns a structure that contains the service. The Web Services SSM supports these security service types: ALES_AUDIT, ALES_AUTHENTICATION, ALES_AUTHORIZATION, ALES_CREDENTIAL, and ALES_ROLE. The type for all service types is string.
• getServiceVersion()—This method takes an empty request and returns a structure that contains the version of the service. The Web Service SSM supports these version types: MajorVersion (type int), MinorVersion (type int), PatchLevel (type string), and Version (type long).
• isCompatible()—This method accepts service version information and returns compatibility information. The method accept these values: MajorVersion (type int), MinorVersion (type int), PatchLevel (type string), and Version (type long). It returns these compatibility responses: ALES_NOT_COMPATIBLE, ALES_COMPATIBLE, ALES_COMPATIBLE_DEPRECATED, ALES_COMPATIBLE_UNKNOWN. All compatibility responses are returned as strings. You use this method to determine whether the version of the service interface specified in the web services client is compatible with the current version of the service interface in the instance of the Web Services SSM.

 

---

Authentication Service Interface

The Authentication Service provides security functions to an application so as to establish, verify, and transfer a person or process identity. Thus, the Authentication Service provides two main security functions: authentication and identity assertion.

The Authentication Service accepts user credentials and/or identity assertion tokens and verifies that they match the user identity stored in the existing user profile. The following types of identity assertion tokens are supported:

• Username/password
• Signed Security Assertion Markup Language (SAML) 1.1 assertions
• ALES cookie

The Extensible Markup Language (XML) structures used by the Authentication Service for transmitting identity assertion tokens and other credential types are defined the WSDL interface.

To ensure secure handling of credentials, all credentials presented to the Web Services Security Service Module must satisfy the following requirements:

• All SAML 1.1 identity assertions must be signed by a trusted entity, as determined by the SAML IdentityAsserter. The signature must be attached to the identity assertion and cover the entire assertion. An identity assertion that is not signed or signed by an unknown authority is rejected and the processing is stopped.
• The caller should verify the validity of server credentials prior to invoking the Web Service. In particular, the caller should verify its validity by examining its expiration date, certification path, and revocation status.

The Web Services SSM only accepts clear-text passwords. However, the credentials presented are always be protected by SSL, either one-way or two-way. The Web Services SSM returns credentials to clients over SSL as well.

The SOAP authentication interface enables the Web Services SSM to return challenges to clients if they fail to provides the information necessary to complete the authentication process. In such cases, the client can respond with the requested information. In order to avoid expensive round trips, however, the web services client should pass in all available credentials information with the initial SOAP request.

The following topics provide more information on the Authentication Service interface:

• Authentication Process
• Authentication Service Methods

Authentication Process

The authentication process is as follows (see Figure 2-3):

Figure 2-3 Authentication Service Process

 

The web services client connects to the Web Services SSM over HTTP and the Web Services SSM responds by presenting a digital certificate to prove its identity to the client. The Web Services SSM authenticates itself to the web services client using its server X.509 certificate. If the Web Services SSM presents a certificate that is not valid (for instance, the certificate has expired or has a subject name mismatch), the client should break the connection.
The web services client verifies the SSMs digital certificate and submits a certificate signed by a recognized certificate authority (CA) to the Web Services SSM.
The Web Services SSM verifies the clients certificate and establishes an SSL connection.
The web services client submits credentials to Web Services SSM to login. Web services clients present user credentials with each login request. Use credential can be username/password, a SAML assertion, or an ALES cookie
The Authentication Service verifies the client credentials.
If the credentials authenticate, the Authentication Service returns an identity assertion token to the web services client.
If the credentials do not authenticate, the Authentication Service submits the credentials for checking. The Authentication Service does one of two things:
• Validates the user credentials, grants the login, and returns a success message to the Web Services SSM.
• Invalidates the user credentials, blocks the login, and returns a failure message to the Web Services SSM.
If an authentication decision cannot be made with the parameters included in the initial client request, the request fails.
If authentication is successful, the Web Services SSM returns the default identity assertion token representing the user. The type of the default identify assertion token is configurable. If the type is not specified, SAML assertions are used.
If authentication fails, the Web Services SSM returns an AuthenticationFailure SOAP Fault to the caller.

For more information on the Authentication Service Interface and the methods it supports, see WSDLdocs for Web Services Interfaces.

Authentication Service Methods

To support authentication functions the authentication provides the following methods:

• authenticate() Method
• assertIdentity() Method
• isAssertionTokenSupported() Method
• validateIdentity() Method

authenticate() Method

This method accepts any credential type supported by the authentication provider or a response to an earlier authentication challenge, and, optionally, the type of requested identity assertion that represents the identity and application context of the authenticated user. In response, it returns either the requested identity assertion token and status information or an authentication challenge.

Note: In addition to the identity assertion types, the Web Services SSM supports user credentials in form of usernames with passwords.

Table 2-1 describes the authenticate() method parameters.

Table 2-1 authenticate() Method Parameters 

Parameter	Description	Supported Values/Types
Input Parameters
Identity Credential	Specifies the identity credential that is to be used to authenticate the caller.	ssm:IdentityCredential Type
RquestCredential Type	Specifies the identity credential type.	ssm:CredentialTypeType
AppContext	Specifies the application context in which authentication is being requested.	ssm:"ContextType" Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
IdentityAssertion	Returns the identity assertion token.	type="ssm:Identity AssertionType"
Challenge	Returns an authentication challenge to the caller.	type="ssm:ChallengeType"
StatusInfo	Returns status information.	type="xsd:string"

 

assertIdentity() Method

This method accepts any supported identity assertion type or a response to an earlier authentication challenge, and, optionally, the type of requested identity assertion that represents the identity and application context of the authenticated user. In response, it returns either the requested identity assertion token and status information or an authentication challenge.

Table 2-2 describes the assertIdentity() method parameters.

Table 2-2 assertIdentity() Method Parameters 

Parameter	Description	Supported Values/Types
Input Parameters
IdentityAssertion	An identity assertion token that represents the authenticated identity of the user.	type="ssm:IdentityAssertion Type"
Requested CredentialType	Specifies the type of credential being submitted for authentication.	type="ssm:CredentialTypeType"
AppContext	Specifies the application context in which authentication is being requested.	ssm:ContextType Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
IdentityAssertion	Returns the identity assertion token.	An acceptable user's identity assertion token. type="ssm:Identity AssertionType"
Challenge	Returns an authentication challenge to the caller.	type="ssm:ChallengeType"
StatusInfo	Returns status information.	type="xsd:string"

 

isAssertionTokenSupported() Method

This method accepts an identity assertion credential type that represents the authenticated user's identity. It returns a Boolean value (true or false) to indicate whether this token type is supported by this instance of the Web Services SSM.

Table 2-3 describes the isAssertionTokenSupported() method parameters.

Table 2-3 isAssertionTokenSupported() Method Parameters

Parameter	Description	Supported Values/Types
Input Parameter
Assertion CredentialType	Specifies the identity assertion credential type. The type specified can be any type supported by the ALES Credential Mapping provider. The Authentication Service may also return an authentication challenge to the caller requesting other assertion token types. If the caller fails to specify an assertion token type supported by the Authentication Service even after challenges, the Authentication Service returns CredentialMappingFailure to the caller.	AssertionCredentialType type="ssm:CredentialTypeType"
Return Parameter
isAssertionToken SupportedResponse	Specifies whether the assertion token is supported.	true/false type="xsd:boolean"

 

validateIdentity() Method

This method accepts any supported identity assertion type that represents the identity of the authenticated user. It returns a structure with a Boolean value (true or false) that indicates whether the token is valid.

Table 2-4 describes the validateIdentity() method parameter.

Table 2-4 validateIdentity() Method Parameters

Parameter	Description	Supported Values/Types
Input Parameter
IdentityAssertion	An identity assertion token that represents the authenticated identity of the user.	IdentityAssertion type="ssm:Identity AssertionType"
Return Parameter
validateIdentity Response	Specifies whether the identity is valid.	true/false type="xsd:boolean"

 

 

---

Authorization Service Interface

The Authorization Service is a service that allows an application to determine if a specific identity is permitted to access a specific resource. This decision may then be enforced in the application directly at the policy enforcement point.

The Authorization Service is primarily based on a single method: isAccessAllowed(). This method accepts a supported type of user credential or an identity token, a runtime resource, and a runtime action. Optionally, this method can accept the type of the requested identity assertion token that represents the identity of the authenticated user, the application context, and direction parameters. The isAccessAllowed() method requires that a valid, authenticated identity or a null identity token (representing an anonymous identity) be present when requesting an access decision. The following topics provide more information on the Authorization Service.

• Authorization Process
• Authorization Service Methods

Authorization Process

The authorization process is as follows (see Figure 2-4):

Figure 2-4 Authorization and Role Mapping Process

 

The authorization process begins when the web services client calls the Web Services SSM to answer the question "Is this user allowed to perform this particular action on the specified resource?" Identity assertion token types supported include ALES cookies and signed SAML 1.1 assertions.
If the token matches a credential in the cache, the SSM sets the user identity to the internal identity representation, which includes the user identity and the list of roles the user has been granted.
If the token does not match any of the credentials in the cache, the SSM calls the Authorization Service and the Role Mapping Service to determine whether the user is authorized to access resources and to get the list of roles the user has been granted. If the user is authorized, the user identity is set to the internal identity representation, which includes the user identity and the list of roles the user has been granted.
The Authorization Service then compares the user identity to the resource security policy to determine whether the user is in a role that has been granted the access privilege that is necessary to perform the requested action on the particular resource.
If an authorization decision can not be made with the parameters included in the initial client request, the Authorization Service returns a context request to the web services client indicating which parameters are missing.
The web services client must fill in the application context with the required parameters and re-submit the request. The Web Services SSM supports six context types: StringValue, BoolValue type, DateTimeValue, TimeValue, IntValue, and IpValue.
If the authorization process fails due to parameter-related problems, an AuthorizationFailure SOAP Fault is returned to the caller.
In the absence of an error, the authorization decision that is returned to the web services client contains a clear and unambiguous true or false statement that allows or disallows access to the resource in question. A negative authorization decision is a valid result and does not result in a SOAP Fault.

For more information about the Authorization Service interface, see the WSDLdocs for Web Services Interfaces.

Authorization Service Methods

The Authorization Service supports the following methods:

• isAccessAllowed()
• isAuthenticationRequired() Method

isAccessAllowed()

This method accepts a supported type of an identity assertion token and runtime resource and action structures. Optionally, it can accept the requested identity assertion credential type, application context, and authorization direction parameters. In response, this method returns the authorization decision and authorization data, or, if required by the authorization provider, additional context requests.

Table 2-5 describes the isAccessAllowed() method parameters.

Table 2-5 isAccessAllowed() Method Parameters 

Parameter	Description	Supported Values/Types
Input Parameters
IdentityAssertion	An identity assertion token that represents the authenticated identity of the user. The token type must be supported by the ALES Credential Mapping provider; otherwise, the service returns CredentialMappingFailure to the caller.	IdentityAssertion/ ssm:IdentityAssertionType
RuntimeResource	Specifies the runtime resource that the caller is requesting.	ResourceString, AuthorityName type="ssm:Runtime ResourceType"
RuntimeAction	Specifies the runtime action that the caller is requesting.	ActionString, AuthorityName type="ssm:Runtime ActionType"
Request CredentialType	Specifies the identity assertion credential type. The type specified can be any type supported by the ALES Credential Mapping provider. The Authentication Service may also return an authentication challenge to the caller requesting other assertion token types. If the caller fails to specify an assertion token type supported by the Authentication Service even after challenges, the Authentication Service returns CredentialMappingFailure to the caller.	AssertionCredentialType/ ssm:CredentialTypeType
AppContext	Specifies the application context in which access to the resource is being requested.	ssm:"ContextRecordType" Where ssm:ContextRecordType is one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
AtzDirection	Specifies authorization direction parameters.	ALES_ONCE, ALES_POST, ALES_PRIOR type="ssm:AtzDirectionEnum"
Return Parameters
isAccessAllowed Response	Indicates whether access is allowed.	true/false type="xsd:boolean"
AtzDecisionData	Information about the access decision.	type="ssm:AtzDecisionDataType"
"ContextRequests"	Requests additional context if required by the ASI Authorization provider.	type="ssm:ContextRequestsType"

 

isAuthenticationRequired() Method

The Authorization Service interface also supports the isAuthenticationRequired() method. This method accepts a runtime resource and a runtime action. It returns a Boolean value (true or false) that indicates whether authentication is require to access this resource. The web services client uses this method to test whether privileges are required to access a particular resource.

Table 2-6 describes the isAuthenticationRequired() method parameters.

Table 2-6 isAuthenticationRequired() Method Parameters

Parameter	Description	Parameter Values/Types
Input Parameters
RuntimeResource	Specifies the runtime resource that the caller is requesting.	ResourceString, AuthorityName type="ssm:Runtime ResourceType"/
RuntimeAction	Specifies the runtime action that the caller is requesting.	ActionString, AuthorityName type="ssm:Runtime ActionType"
Return Parameter
isAuthentication RequiredResponse	Indicates whether authentication is required.	true/false type="xsd:boolean"

 

 

---

Auditing Service Interface

The Auditing Service logs events based on activity related to enterprise security. The Web Services Security Service Module (SSM) runtime uses the Auditing Service to log appropriate data when events occur. The Auditing Service is based on an event model. When something of note occurs, an auditing event is automatically logged. A user or a application that wants notification when a particular event occurs can derive a new class from the AuditRecord class.

The following topics provide more information on the Auditing Service.

• Auditing Process
• Auditing Service Method

Auditing Process

The auditing process is as follows (see Fig):

Figure 2-5 Auditing Process

 

During the auditing process, the Web Services SSM audit logging function supports automated, centralized logging of audit messages. To capture a particular event for notification purposes an auditing user can use the recordEvent() method to specify the name of the audit record to be captured, and, optionally, the identity assertion token of the auditing user, and the application context.
If the auditing provider requires application context that is not included in the recordEvent() method, the Auditing Service returns requests for additional application context.
If parameter-related audit logging failures occur, including passing in an invalid identity assertion token for the user, an AuditingFailure SOAP Fault is returned to the caller.
If no errors occur during the auditing process, an empty response is returned to the auditing user as an event notification and the audit event is logged by the auditing provider.

For more information on the Auditing Service interface and the methods it supports, see WSDLdocs for Web Services Interfaces.

Auditing Service Method

The Auditing Service passes the audit event to the Web Services SSM runtime. Based on its configuration, the SSM runtime routes the event to the proper auditing providers so that it can be recorded.

The Auditing Service supports a single method, recordEvent(). This method accepts an audit record, and, optionally, an identity assertion token, representing the auditing user, and an application context.

Table 2-7 describes the recordEvent() method parameters.

Table 2-7 recordEvent() Method Parameters

Parameter	Description	Supported Values/Types
Input Parameters
AuditRecord	Specifies the type of the audit record that encapsulates the logging information.	type="ssm:AuditRecord Type"
IdentityAssertion	An identity assertion token that represents the authenticated identity of the auditing user.	type="ssm:Identity AssertionType"
AppContext	Specifies the application context in which request for an auditing record is being made.	ssm:ContextType Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType

 

 

---

Role Mapping Service Interface

The Role Mapping Service allows an application to extract role information about specific identities and resources within the context of the application. These roles can then be used for customizing an interface or for other purposes.

Note: Do not use roles by themselves for authorization, because many policies, allowing or disallowing access to a resource, may be written against a role. Use the Authorization Service to determine actual access rights.

The Role Mapping Service evaluates an interaction of an identity with a resource within an application context and returns a list of role names associated with the configuration of that identity. These roles can change with every resource or be static for the identity across all resources. The roles assigned to an identity are determined by the security policy.

The Web Services SSM is capable of retrieving the roles that a user may have for the given resource and action combination. The user identity is passed as an identity assertion token, instead of a Java object. To obtain roles, authenticated users must be authorized to obtain their roles for the given resource/action combination.

The Role Mapping Service requires that the application pass in a valid identity, a valid resource, and a valid action. The application context is optional and may be set to null if no context is passed in.

The following topics provide more information on the Role Mapping Service.

• Role Mapping Process
• Role Mapping Service Method

Role Mapping Process

The role mapping process is as follows (see Figure 2-4):

During the role mapping process, the Web Services SSM provides a mechanism for optionally specifying the application context to support role mapping.
If parameter-related role mapping failures occur, including passing in an invalid identity assertion token for the user, a RoleMappingFailure SOAP Fault is returned to the caller.
If no errors occur during the role mapping process, a list of zero or more roles, configured in the policy for the provided user/resource/action combination, is returned to the caller. An empty list is a valid response and does not result in a SOAP Fault.

For more information on the Role Mapping Service interface and the methods it supports, see WSDLdocs for the Web Services Interfaces.

Role Mapping Service Method

The Role Mapping Service interface supports one method, getRoles(). This method gets the roles for an authenticated user identity in reference to a RuntimeResource, RuntimeAction, and an optional Context.

The getRoles() method accepts a supported type of an identity token, and, optionally, runtime resource and action structures, and an application context. It returns either a list of user roles associated for the identity and a time-to-live parameter for user roles.

Table 2-8 describes the getRoles() method parameters.

Table 2-8 getRoles Method Parameters 

Parameter	Description	Supported Values/Types
Input Parameters
IdentityAssertion	An identity assertion token that represents the authenticated identity of the user. The token type must be supported by the Role Mapping provider; otherwise, the service returns RoleMappingFailure to the caller.	IdentityAssertion type="ssm:IdentityAssertion Type"
RuntimeResource resource	Specifies the runtime resource that the caller is requesting.	ResourceString, AuthorityName type="ssm:RuntimeResource Type"
RuntimeAction action	Specifies the runtime action that the caller is requesting.	ActionString, AuthorityName type="ssm:Runtime ActionType"
AppContext	Specifies the application context in which access to the resource is being requested.	type="ssm:ContextType" Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
Roles	Specifies a list roles granted to the user.	type="ssm:IdentityRoleType"
RolesTtlAdvice	Specifies time to live for user roles.	type="xsd:positiveInteger

 

 

---

Credential Mapping Service Interface

The Credential Mapping Service allows an client application to fetch credentials of certain types that are associated with a specific identity for a specific resource. These credentials can then be used on behalf of that identity to execute some privileged function, such as logging into a database or sending e-mail.

The following topics provide more information on the Credential Mapping Service.

• Credential Mapping Process
• Credential Mapping Method

Credential Mapping Process

The credential mapping process is as follows (see Figure 2-6):

Figure 2-6 Credential Mapping Process

 

The client presents a get credentials request to the Web Services SSM. The request includes a supported type of an identity assertion token and a list of requested credential types. Optionally, the request can include a runtime resource, runtime action, and an application context.
In response, the Web Services SSM returns a list of requested user credentials and identity assertion tokens or, if required by the Credential Mapping provider, additional context requests.
The Web Services SSM returns the following types of credentials in response to the client's request:
• Username/password pairs
• Signed SAML 1.1 assertions
• ALES cookies
If parameter-related credential mapping failures occur, the Web Service returns a CredentialMappingFailure SOAP Fault to the caller.
If no errors occur during the credential mapping process, the Web Services SSM returns a list of zero or more credentials that are configured in the security policy for the specified user/resource/action combination. An empty list is a valid response and does not result in a SOAP Fault. Also, if some of the requested credential types are not available for specified user/resource/action combination, a SOAP Fault does not result.

For more information on the Credential Mapping Service interface and the methods it supports, see WSDLdocs for Web Services Interfaces.

Credential Mapping Method

The Credential Mapping Service supports one method: getCredentials(). This method accepts a supported type of an identity assertion token and a list of requested credential types. Optionally, this method can accept an identity assertion token that represents the identity of a different user and a runtime resource structure, which includes the requested resource and action and the application context. In response, the getCredentials() method returns either a list of requested user credentials, identity assertion tokens, and a list of any missing credential types.

Note: Since password credentials need to be returned in clear text to the caller in order to be usable for authentication in external systems, you should pay particular attention to providing channel and message security to protect messages in transit between clients and the Web Service. At a minimum, you must use a channel security protocol, such as SSL or TLS, for all communication.

Authenticated users are always authorized to obtain their own credentials for the given resource/action combination. However, authenticated user cannot requests credentials on behalf of another user.

Credential mapping process involves issuing new types of credentials to the specified combination of user, resource, and action. The user identity is passed as an identity assertion token, instead of a Java object.

Table 2-9 describes the getCredentials() method parameters.

Table 2-9 getCredentials Method Parameters 

Parameter	Description	Supported Values/Types
Input Parameters
IdentityAssertion	An identity assertion token that represents the authenticated identity of the user. The type used must be supported by the ALES Credential Mapping provider; otherwise, the service returns CredentialMappingFailure to the caller.	IdentityAssertion ssm:"IdentityAssertion Type"
Requested CredentialTypes	Specifies a list of the types of credentials being requested. The Web Services SSM supports the following types of credentials: Username/password pairs Signed SAML 1.1 assertions ALES proprietary cookie	type="ssm:CredentialTypes Type" Any non-empty string consisting of any number of alphanumeric characters and these separators: period ("."), comma (","), and underscore ("_").
RuntimeResource	Specifies the runtime resource that the caller is requesting.	ResourceString, AuthorityName type="ssm:RuntimeResource Type"
RuntimeAction	Specifies the runtime action that the caller is requesting.	ActionString, AuthorityName type="ssm:Runtime ActionType"
AppContext	Specifies the application context in which access to the resource is being requested. Specified as a name/value pair.	ssm:"ContextType" Where ssm:ContextType can be one of the following: StringValue/string, BoolValue/boolean, DateTimeValue/dateTime, TimeValue/time, IntValue/integer IpValue/ssm:IpType
Return Parameters
MissingTypes	List of missing credential types.	type="xsd:string"
Identity Credential	List of user credentials.	type="ssm:IdentityCredentialType"
IdentityAssertion	Identity assertion tokens that represent the authenticated identity of the user.	IdentityAssertion type="ssm:IdentityAssertionType"