Sun Identity Manager 8.1 Web Services

Understanding PSOIdentifiers

SPML includes an object ID that is called a PSOIdentifier (PsoID).

OASIS SPML 2.0 specifications recommend that PsoIDs be opaque to a requestor (client). Consequently, Identity Manager uses repository IDs (repoIDs) as PsoIDs when adding PSOs to the system.

A repoID is distinct and it is not meant for presentation to a user. When displaying a PSO to a user, the requestor should use the equivalent of the waveset.accountid or whatever attributes are used in the Identity template to present the object’s ID.

When identifying the PSO (as in a ModifyRequest), the requestor should use the repoID and not the waveset.accountId. Although the requestor can use the waveset.accountId as a PsoID, doing so is not recommended and it might change in a future release. Requestors should try to keep the PsoID opaque.

PSOs use an objectclass attribute to specify the object type. If this attribute is not present when a request is made, Identity Manager allows you to specify and use a “default” object class, such as SPMLUser. Internally, the objectclass value is maintained as an spml2ObjectClass attribute for users. For Identity Manager this attribute must be a user extended attribute. You might not see an spml2ObjectClass attribute for users that existed before you enabled SPML 2.0.