45.7 Managing TokenServiceRP Type Resources

A Security Token Service Relying Party Partner defined in the Security Token Service Partner Store is represented by the resource of type TokenServiceRP.

A Token Issuance Policy defines the rules under which a token can be issued for a resource (Relying Party Partner) based on the client's identity, with the client either being a Requester Partner or an end user. When issuing a token, Security Token Service will determine for which Relying Party that token is created, and it will then evaluate if the client is authorized to request the token for that Relying Party.

Note:

To issue a token, a Token Issuance Policy must be created with the resource involved in the operation and, possibly, with a condition. At run time if the policy evaluation is successful, the token will be issued.

The resource(s) in a policy can be:

  • A TokenServiceRP type resource represents resources for, and is based on, the Token Service Relying Party (required for Mobile and Social REST clients).

    See Also:

    Managing Oracle Access Management Mobile and Social for details about Configuring Access Manager for Mobile and Social Authentication Service

  • The pre-existing UnknownRP resource which is needed when Security Token Service is not able to map the Service URL referenced in the AppliesTo element of the WS-Trust request to an Security Token Service Relying Party Partner entry.

  • The pre-existing MissingRP resource which is needed when the AppliesTo element of the WS-Trust request is missing.

Note:

Both the MissingRP and UnknownRP are defined in the IAM Suite Application Domain.

A resource of type TokenServiceRP, Figure 45-14, represents a Security Token Service Relying Party Partner defined in the Security Token Service Partner Store.

Figure 45-14 Pre-defined Resource Type: TokenServiceRP

Description of Figure 45-14 follows
Description of "Figure 45-14 Pre-defined Resource Type: TokenServiceRP "

Resources of type TokenServiceRP are used in Token Issuance Policies, which are evaluated when Security Token Service issues tokens at run time. This is a predefined resource type, which cannot be deleted. However, additional operations can be created, edited or deleted as needed. Predefined operations are shown with a lock icon.

See the following topics for more information:

45.7.1 About Managing TokenServiceRP Type Resources in Access Manager

All the resources of a specific type in a domain and the resources provided out of the box can be filtered when the search criteria used is TokenServiceRP Type Resources.

You need to use the Search controls for the Application Domain to locate resources of a specific type in a domain. Resource Type TokenServiceRP is the search criteria. The Search Results table lists all resources of this type in the Application Domain.

Figure 45-15 shows the search controls for the IAM Suite resources.

Figure 45-15 Search: Resource Type TokenServiceRP in Application Domain

Description of Figure 45-15 follows
Description of "Figure 45-15 Search: Resource Type TokenServiceRP in Application Domain"

The TokenServiceRP resources in this domain include those provided out of the box, and described earlier:

  • UnknownRP resource

  • MissingRP resource

45.7.2 Managing TokenServiceRP Type Resources in Application Domains

Users with valid Administrator credentials can add TokenServiceRP resources to an Application Domain.

Note:

  • If AppliesTo is present in the RST but the requester could not be mapped, use the TokenServiceRP:UnknownRP resource.

  • If AppliesTo is not present, use TokenServiceRP:MissingRP, otherwise select the appropriate resource.

See About Managing TokenServiceRP Type Resources in Access Manager.

To manage TokenServiceRP Resources:

  1. Locate the desired Application Domain.

    See Searching for an Existing Application Domain.

  2. Add TokenServiceRP Resource to the Application Domain:

    1. Click the New Resource button on the Application Domain Search page.

    2. Specify the Resource Type as TokenServiceRP.

    3. Enter a Resource URL that is the Relying Party ID for whom the token issuance policy will be defined.

    4. Click the Apply button at the top of the page to submit this and dismiss the confirmation window.

      See Defining Resources in an Application Domain.

  3. Find TokenServiceRP Resources:

    1. In the desired Application Domain, open the Resources tab to display the Search controls.

    2. From the Resource Type, choose TokenServiceRP, and click Search.

    3. Review the Search Results table and click a name to open the Resource Definition.