45.6 Managing Token Issuance Policies, Conditions, and Rules

Token issuance policy includes the following topics:

45.6.1 About Token Issuance Policies

A Token Issuance Policy defines the rules under which a token can be issued for a resource (Relying Party Partner) based on the client's identity, with the client either being a Requester Partner or an end user.

If a Requester is NOT present, it is assumed that the User (represented by the on-behalf-of (OBO) token or WSS Token) is trying to access the RelyingParty.

When issuing a token, Security Token Service will determine for which Relying Party that token is created, and it will then evaluate if the client is authorized to request the token for that Relying Party. In order to issue a token, a Token Issuance Policy must be created with the resource involved in the operation, and with possibly a condition. At runtime if the policy evaluation is successful, the token will be issued.

You can add Conditions, Rules, and Responses to this Token Issuance Policy.

45.6.2 About Managing Token Issuance Conditions and Rules

The Token Issuance Policy allows the Administrator to define conditions along with "Allow" and "Deny" rules for the policy.

Each Token Issuance Policy can contain one or more conditions, and rules that determine whether access to the requested resource should be granted or denied:

  • An Allow type rule specifies who is authorized to access a protected resource.

    Only partners and users listed in the Condition are granted access; everyone else is denied access to the resource.

  • A Deny type rule specifies explicitly who is denied access to the protected resource.

    Only partners and users listed in the Condition are denied access; everyone else is granted access to the resource.


When adding User conditions, the identity store from which the users are to be chosen can be selected from a list. Ensure that you choose the Default User Identity Store, which is the only one used by Security Token Service.

Managing Token Issuance Conditions is similar to managing Authorization Conditions and Rules.

See Figure 45-4 shows the Conditions tab of a Token Issuance Policy.

Figure 45-13 Token Issuance Policies and Conditions

Description of Figure 45-13 follows
Description of "Figure 45-13 Token Issuance Policies and Conditions"

Table 45-13 describes the Token Issuance Condition requirements.

See Also:

Managing Oracle Access Management Mobile and Social for details about Adding a Token Issuance Policy for Mobile and Social Authentication Service

Table 45-13 Conditions tab: Token Issuance Policy

Element Description

Summary tab



A unique name for this Token Issuance Policy.



Conditions tab

Table 25-11 describes elements and controls on the Conditions tab.


Only Token Requester Identity is allowed for Token Issuance Policy conditions. You choose this in the Add Condition dialog box.

Rules tab

Table 25-22 describes the elements and controls on the Rules tab for Simple Mode evaluations.

Table 25-23 describes the elements on the Rule tab in Expression mode.

Condition Details



Choose from the following populations:

  • Add Identities: This choice opens a Search window where you can set the Store Name, Choose an Entity Type (All, User, or Group), and Provide an Entity Name. You then choose one or more results from those listed and click Add Selected to populate the condition.

  • Add Partners: This choice opens a Search window where you can locate specific partners to populate the condition. Enter your search criteria (or click the arrow key beside the field to find all partners), then choose one or more results and click Add Selected to populate the condition.

Entity Name

The name of the User or Group, as defined in the selected User Identity Store.

Entity Type

The type of entity you want to locate during a search to add identifies to the condition: User, or Group.

Store Name

Choose the name of the User Identity Store to search for users or groups to populate the condition. Remember, Security Token Service uses only the Default Identity Store.

45.6.3 Managing Token Issuance Policies and Conditions

Users with valid Administrator credentials can add a Token Issuance Policy and Conditions to an Application Domain.

When you add resources to this policy, you may want to add the UnknownRP and MissingRP resources.

You need to meet the following prerequisites and perform the following task: Prerequisites for Managing Token Issuance Policies and Conditions

You must have already configured the Application Domain before you start to add a Token Issuance policy.


You can add Token Issuance Policies to the IAM Suite Application Domain. Managing Token Issuance Policies and Conditions

After creating a Token Issuance Policy, you can add resources, conditions, condition details, and rules to the policy.

To manage Token Issuance policies and conditions:

  1. Locate the desired domain.

    See Searching for an Existing Application Domain.

  2. On the individual Application Domain page, select the Token Issuance Policies tab.

  3. Create a Token Issuance Policy:

    1. In the desired domain, click the Token Issuance Policies tab and then click the Create Token Issuance Policy button to open a fresh page.

    2. On the Summary page, enter a unique name and optional description.

  4. Add Resources: This step presumes that the resource has been defined in the Application Domain and is ready to be added to policies.

    1. Click the Resources tab.

    2. Click Add (+).

    3. Click the Search button to display a list of defined resources you can add.

    4. Click the desired resource in the results table, then click Add Selected.

    5. Repeat as needed to add any other resources to this policy.

  5. Add Conditions to a Policy: The only types available are Token Requester Identity or True.

    1. Click the Conditions tab, then click the Add button on the Conditions tab to display the Add Condition window.

    2. Enter a unique name for this condition in the dialog box.

    3. Choose Token Requester Identity from the Type list.

    4. Click Add Selected.

    5. Proceed with Step 5 to add details for Token Requestor Identity. Otherwise, skip to Step 6.

  6. Add Conditions Details:

    1. Click the Condition name to display Conditions: Details.

    2. From the Selected Identities table, click the Add button and choose either:

      Add Partners: In the Search field, enter criteria (or click the arrow key beside the field to find all partners); click one or more results then click Add Selected to populate the condition.

      Add Identities: Select the Store Name, select the desired Identity Type, enter search criteria and click the Search button; choose one or more results and click Add Selected to populate the condition.

    3. Click the Save button on the Condition Details panel.

  7. Add Rules: Perform these steps to Allow or Deny access based on your Conditions.

    1. Click the Rules tab.

    2. Check the Rule Mode: Simple or Expression.

    3. Expression Mode: Build your expression by entering operators and choosing and inserting conditions..

      See Table 25-24.

      See Table 25-23.

    4. Simple Mode: Click to Match either All or Any of the selected conditions, then using arrows for Allow (or Deny) Rule, move desired conditions from the Available Conditions column into the Selected Conditions column.

  8. Click Apply and then close the Confirmation window.

  9. Find (or Add) TokenServiceRP Resources in the Application Domain:

    See Managing TokenServiceRP Type Resources.