Understanding the Tivoli Federated Identity Manager Information Service 6.2

Developing and using a Web services Client for querying federation, federated user and user alias information

IBM® Tivoli® Federated Identity Manager 6.2 (TFIM) provides a Web service interface designed to obtain federation, federated user, and user alias information from a TFIM environment. This Web service is known as the TFIM Information Service. This article shows how to create a Web service client from the interface using Rational® Application Developer 7.0 and also contains a sample application which uses the newly created Web service client to query federation, federated user and user alias information.

Shane B. Weeden, Senior Software Engineer, IBM Tivoli

Shane WeedenShane Weeden is a senior software engineer with the IBM Tivoli Federated Identity Manager development team. He has worked in IT security since 1992, and since 2000 has been working with Tivoli Security products including Tivoli Access Manager for eBusiness and Tivoli Federated Identity Manager. Shane now divides his time between customer focused engagements and core product development activities. He holds a Bachelor of Information Technology from the University of Queensland in Australia.


developerWorks Professional author
        level

Simon Canning (scanning@au1.ibm.com), Software Engineer, IBM

Simon CanningSimon Canning is a Software Engineer in the Tivoli Security Integration Factory Team based on the Gold Coast, Australia. In this role, Simon is part of the Tivoli Access Manager Integration development team and has been involved in developing and maintaining IBM integration solutions with leading software companies, including Microsoft, Oracle, Siebel and PeopleSoft. Simon holds a Bachelor of Computer Systems Engineering from the Queensland University of Technology.



18 September 2008

What is the Tivoli Federated Identity Manager Information Service?

Tivoli Federated Identity Manager (TFIM) provides an interface, in the form of a Web service, to query federation, federated user and user alias information. The TFIM Information Service can be used to discover information such as:

  • The set of configured federations and their endpoints.
  • The set of partner configurations for a federation and associated endpoints.
  • Whether or not a user has a configured alias in a particular federation (for federations and applications which utilize the alias service).
  • The set of aliases for a user in a particular federation context.

In TFIM 6.2, the Web service definition language (WSDL) document that defines the interface is the supported integration point. This WSDL document, called fiminfo.wsdl, can be found in the deployed application directory of a WebSphere® where the TFIMRuntime is deployed at:
<WebSphere_installedApps_root>/ITFIMRuntime.ear/com.tivoli.am.fim.war.infoservice.war/WEB-INF/wsdl/fiminfo.wsdl. You will need to obtain this WSDL file to utilize the techniques shown in this article.

The TFIM information service provides two endpoints. The first endpoint, known as the InfoServiceXML endpoint, returns an XML document for all configured federations and partners. Data from this endpoint is used by the TFIM ivtapp to render the federations page and can be accessed using a Web browser or other HTTP user agent. The endpoint can be found at http://fim_host:fim_port/Info/InfoServiceXML.

The second endpoint, known as the InfoService endpoint, is a SOAP endpoint for the information service WSDL. This endpoint will be the main focus of this article and can be found at http://fim_host:fim_port/Info/InfoService.


Why is the Tivoli Federated Identity Manager Information Service useful?

Typically an application might use the Information Service to dynamically display links for a user to click, in particular federation links that might vary depending on which partners are configured, and whether or not the user is currently federated with a particular partner. Federated User information is particularly relevant for Liberty and SAML 2.0 federations which utilize aliases for name identifiers.

The ability to query aliases for a user from the alias service is particularly useful for user-centric identity scenarios (such as Information Card and OpenID relying-party configurations) where the alias service is being used to store mappings from user-centric identities to user accounts. This may also apply to other applications and federation types that utilize the TFIM alias service via the com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils API's.


TFIM Information Service interface description

The TFIM information service interface provides three entry points to query the federation, federated user and user alias information within a TFIM environment. These first two entry points are the federationsQuery Web service method and the federatedUserInfoQuery Web service method and have been supported since TFIM 6.0. The third entry point userAliasInfoQuery was added in TFIM 6.2, fixpack 1 to address limitations with querying multiple user aliases in the same federation context.

federationsQuery

The federationsQuery Web service method is used to query information on federations. A call to this Web service method returns a FederationsQueryResult element. This element contains the number of federations and federation information for each federation such as the federation name, the federation ID, the federation protocol, the path to single sign-on protocol service (SPS) for the federation, the number of partners the federation has and information about each partner entity as well as information about itself. This method requires the completeResultsLimit entity to be set within the request. If no limit is required, this should be set to -1 before performing the query.

federatedUserInfoQuery

The federatedUserInfoQuery Web service method is used to query information on users and their entries in the alias service for federations such as Liberty and SAML 2.0 which use the alias service for federated accounts. A call to this Web service method returns a FederatedUserInfoQueryResult element. The FederatedUserInfoQueryResult element contains a flag indicating whether a user was found to be federated, and alias information such as the user's self/partner/old alias(es), if they exist. Note that although the alias service permits more than one alias of each type be stored per partner, this Information Service interface currently only supports returning at most one alias of each type per partner. The Liberty and SAML 2.0 protocols only utilize at most one alias of each type per partner, so this is a suitable method for those federation types to determine if a user is federated with a particular partner. This method requires the username to be set before issuing the request. A list of partner ids may also be specified but if these are not present, the federation ids for all existing federations will be used. For performance reasons it is recommended that you supply the list of partner ids in the request if known.

userAliasInfoQuery

The userAliasInfoQuery Web service method was introduced in TFIM 6.2 fixpack 1 and is used to query information on users and their alias information in the alias service. A call to this Web service method returns a UserAliasInfoQueryResult element. The UserAliasInfoQueryResult element contains the user's self/partner/old alias(es), if they exist. This Web service method, unlike the federatedUserInfoQuery, allows a number of aliases to be returned based on a supplied result limit. If no result limit is specified, all aliases are returned. This method also allows the caller to specify which alias types (from self,partner,old) to return by including an alias type list in the request. This method requires the username parameter to be set in the request object before the request is issued. A list of partner id's (also known as federation context ids in the IDMappingExtUtils utility functions) can also be specified but if these are not present, the list will consist of the federationIds for all configured federations. Again it is recommended that the partner ids be supplied if known. Supplying the partner ids will be required for user-centric identity account alias scenarios as the federation context id supplied to the IDMappingExtUtils utility functions will not match a configured federation.


Security of the TFIM Information Service interface

In a typical production environment, the Information Service interface should not be exposed to end users. If using Tivoli Access Manager (TAM) the Information Service URL endpoints can be protected with TAM ACL's to ensure that only clients using appropriate authentication via TAM can access them.

Either with or without TAM as the point-of-contact, you can also utilize J2EE™ container security constraints to protect access to the Information Service endpoints. The Information Service Web application defines a required role called FIMAdministrator for access to the two URL endpoints in the service. If WebSphere security is enabled, user groups (or unauthenticated users if so desired) can be assigned to the FIMAdministrator role and only users in the role will be able to access the Information Service endpoints.


Developing a TFIM Information Service client using Rational Application Developer

In order to use the Information Service in TFIM 6.2, a Web service client needs to be created from the information service WSDL document provided. Rational Application Developer (RAD) provides the ability to generate a Java™ implementation of the Web service client using WebSphere bindings. Eclipse can also be used to generate a Web services client, typically with Axis bindings. Our example will use Rational Application Developer.

Perform the following steps to create the Web service client:

  1. Copy the information service WSDL (fiminfo.wsdl) from the TFIM server into a temporary directory on the Rational Application Developer machine. The WSDL can be found in the following directory:

    <WebSphere_installedApps_root>/ITFIMRuntime.ear/com.tivoli.am.fim.war.infoservice.war/WEB-INF/wsdl/fiminfo.wsdl

  2. Copy the following JAR files from the TFIM server's plugins directory into a temporary directory on the Rational Application Developer machine. The plugins directory can be found at <FIM_install_root>/plugins.
    • org.eclipse.equinox.common_*.jar
    • org.eclipse.equinox.registry_*.jar
    • org.eclipse.core.runtime_*.jar
    • org.eclipse.osgi_*.jar
    • com.ibm.ws.bootstrap_*.jar

    where * denotes the version number of the file based on your TFIM installation.

  3. Open Rational Application Developer and select File --> New --> Other... The new wizard will open as shown in Figure 1:
    Figure 1. New project wizard
    New Project Wizard
  4. In the Wizards: filter field type Web Service Client, then select the Web service client and click Next as shown in Figure 2:
    Figure 2. Project wizard - Web service client
    Project Wizard - Web Service Client
  5. In the Service definition field, enter the path to your WSDL as a URI. Click the Client project link and enter an appropriate project name. Click Ok and then click Next, as shown in Figure 3:
    Figure 3. Project wizard - Web service definition
    Project Wizard - Web Service Definition
  6. Check Define custom mapping for namespace to package and click Next, as shown in Figure 4:
    Figure 4. Project wizard - Web service proxy page
    Project Wizard - Web Service Proxy Page
  7. The namespace to package mapping screen is displayed. Click Add, as show in Figure 5.
  8. In the Namespace field type urn:ibm:names:ITFIM:info:1.0 and in the Package field type com.tivoli.am.fim.infoservice.wsdl.client, as shown in Figure 5:
    Figure 5. Project wizard - client namespace to package mapping
    Project Wizard - Client namespace to package mapping
  9. Click Finish.

RAD will generate classes from the WSDL which can be used to create an information service client application.


Create a sample application to utilize the information service client

Now that RAD has created a Web service client from the WSDL, a client application can be written to utilize it. The following outlines the steps to create a sample application.

  1. Click File --> New --> Package.
  2. In the Source Folder: field enter com.tivoli.am.fim.infoservice.wsdl.client/src. In the Name: field enter com.tivoli.am.fim.infoservice.wsdl.client.demo, as shown in Figure 6:
    Figure 6. New Java package
    New Java Package
  3. Click Finish.
  4. Right click on the project and select Properties .
  5. Select the Java Build Path option from the list on the left hand side.
  6. Click the Libraries tab.
  7. Click Add External JARs...
  8. Browse to the temporary folder where the JARs were copied from the TFIM environment.
  9. Select the following files and click Open.
    • org.eclipse.equinox.common_*.jar
    • org.eclipse.equinox.registry_*.jar
    • org.eclipse.core.runtime_*.jar
    • org.eclipse.osgi_*.jar
    • com.ibm.ws.bootstrap_*.jar
    where * denotes the version number. The selected files should now appear as JAR files on the build path, as shown in Figure 7:
    Figure 7. Java build path
    Java Build Path
  10. Create a new class called Main.java in the com.tivoli.am.fim.infoservice.wsdl.client.demo package with a public static void main method.

Sample Application

The sample application presented in Listing 1 demonstrates how to use the generated Web service client to print out federation and federated user information. The sample application contains four tests.

  1. The first test generates a query for all federations and if successful, prints out the federation information.
  2. The second test generates a query to find a specific user in a specific named federation and if the query is successful, prints out the federated user information.
  3. The third test generates a query to find every self alias for a specific user in a specific named federation and if successful, prints out the user alias information.
  4. The fourth test generates a query to find a maximum of two of each self, old and partner aliases for a specific user in a specific named federation and if successful, prints out the user alias information.
Listing 1. Sample Application
package com.tivoli.am.fim.infoservice.wsdl.client.demo;

import java.rmi.RemoteException;

import com.tivoli.am.fim.infoservice.wsdl.client.EndpointType;
import com.tivoli.am.fim.infoservice.wsdl.client.FIMInfoPortTypeProxy;
import com.tivoli.am.fim.infoservice.wsdl.client.FederatedUserInfoQueryResultType;
import com.tivoli.am.fim.infoservice.wsdl.client.FederatedUserInfoQueryType;
import com.tivoli.am.fim.infoservice.wsdl.client.FederatedUserInfoType;
import com.tivoli.am.fim.infoservice.wsdl.client.FederationEntityInfoType;
import com.tivoli.am.fim.infoservice.wsdl.client.FederationInfoType;
import com.tivoli.am.fim.infoservice.wsdl.client.FederationsQueryResultType;
import com.tivoli.am.fim.infoservice.wsdl.client.FederationsQueryType;
import com.tivoli.am.fim.infoservice.wsdl.client.UserAliasInfoQueryResultType;
import com.tivoli.am.fim.infoservice.wsdl.client.UserAliasInfoQueryType;
import com.tivoli.am.fim.infoservice.wsdl.client.UserAliasInfoType;
import com.tivoli.am.fim.infoservice.wsdl.client.UserAliasListType;

public class Main {

  static final String ALIAS_TYPE_SELF = "SELF";

  static final String ALIAS_TYPE_PARTNER = "PARTNER";

  static final String ALIAS_TYPE_OLD = "OLD";

  public static void main(String[] args) {

    String endpoint = "http://localhost:9080/Info/InfoService";

    FIMInfoPortTypeProxy fimClient = new FIMInfoPortTypeProxy();
    fimClient.setEndpoint(endpoint);

    System.setProperty("com.ibm.ssl.performURLHostNameVerification", "true");

    /*
     * First test is a dump of all federations
     */
    FederationsQueryType fedsQuery = new FederationsQueryType();
    fedsQuery.setCompleteResultsLimit(new Integer(-1));
    fedsQuery.setFederationDisplayNames(null);
    fedsQuery.setFederationIds(null);

    FederationsQueryResultType fedsQueryResult = null;
    try {
      fedsQueryResult = fimClient.federationsQuery(fedsQuery);
    } catch (RemoteException e) {
      System.err.println("RemoteException occurred performing the "
        + " federation query.");
    }

    if (fedsQueryResult != null) {
      System.out.println(" **************" + " FederationQueryResult "
        + "*************");
      dumpFederationsQueryResult(fedsQueryResult);
      System.out.println(" **************"
        + " End FederationQueryResult " + "*************");
    }

    /*
     * Second test is if the user is in a particular named federations
     */
    String userId = "simoncanning";
    String[] partnerIds = new String[] { "myfedctx" };

    FederatedUserInfoQueryType fedUserQuery = new FederatedUserInfoQueryType();
    fedUserQuery.setUserId(userId);
    fedUserQuery.setPartnerIds(partnerIds);

    FederatedUserInfoQueryResultType fedUserQueryResult = null;
    try {
      fedUserQueryResult = fimClient.federatedUserInfoQuery(fedUserQuery);
    } catch (RemoteException e) {
      System.err.println("RemoteException occurred performing the"
        + " federated user info query.");
    }

    if (fedUserQueryResult != null) {
      System.out.println(" **************"
        + " FederatedUserInfoQueryResult " + "*************");
      dumpFederatedUserInfoQueryResult(fedUserQueryResult);
      System.out.println(" **************"
        + " End FederatedUserInfoQueryResult " + "*************");
    }

    /*
     * Third test is to get all self aliases for a particular user in
     * federations
     */
    UserAliasInfoQueryType userAliasInfoQueryRequest1 = new UserAliasInfoQueryType();
    userAliasInfoQueryRequest1.setUserId(userId);
    userAliasInfoQueryRequest1.setPartnerIds(partnerIds);

    String[] aliasTypeFilterList1 = new String[] { ALIAS_TYPE_SELF };
    userAliasInfoQueryRequest1.setAliasTypeFilterList(aliasTypeFilterList1);

    UserAliasInfoQueryResultType userAliasQueryResult1 = null;
    try {
      userAliasQueryResult1 = fimClient.userAliasInfoQuery(userAliasInfoQueryRequest1);
    } catch (RemoteException e) {
      System.err.println("RemoteException occurred performing the"
        + " first user alias info query.");
    }

    if (userAliasQueryResult1 != null) {
      System.out.println(" **************" + " UserAliasInfoQueryResult1 "
        + "*************");
      dumpUserAliasInfoQueryResult(userAliasQueryResult1);
      System.out.println(" **************"
        + " End UserAliasInfoQueryResult1 " + "*************");
    }

    /*
     * Fourth test is to get aliases for a particular user in
     * federations but limit to returning a maximum of 2 aliases per type
     */
    UserAliasInfoQueryType userAliasInfoQueryRequest2 = new UserAliasInfoQueryType();
    userAliasInfoQueryRequest2.setUserId(userId);
    userAliasInfoQueryRequest2.setPartnerIds(partnerIds);
    userAliasInfoQueryRequest2.setCompleteResultsLimit(new Integer(2));

    UserAliasInfoQueryResultType userAliasQueryResult2 = null;
    try {
      userAliasQueryResult2 = fimClient
        .userAliasInfoQuery(userAliasInfoQueryRequest2);
    } catch (RemoteException e) {
      System.err.println("RemoteException occurred performing the"
        + " second user alias info query.");
    }

    if (userAliasQueryResult2 != null) {
      System.out.println(" **************" + " UserAliasInfoQueryResult2 "
        + "*************");
      dumpUserAliasInfoQueryResult(userAliasQueryResult2);
      System.out.println(" **************"
        + " End UserAliasInfoQueryResult2 " + "*************");
    }
  }

  static void dumpFederationsQueryResult(
    FederationsQueryResultType fedsQueryResult) {

    System.out.println("Number of FIM federations: "
      + fedsQueryResult.getNumFIMFederations());

    FederationInfoType[] fedInfoArray = fedsQueryResult
      .getFederationInfos();
    for (int i = 0; i < fedInfoArray.length; i++) {
      FederationInfoType fedInfo = fedInfoArray[i];
      System.out.println("[" + fedInfo.getDisplayName() + "]: {");
      dumpFederationInfo(fedInfo);
      System.out.println("}");
    }
  }

  static void dumpFederationInfo(FederationInfoType fedInfo) {
    System.out.println("  Id: " + fedInfo.getId());
    System.out.println("  Display Name: " + fedInfo.getDisplayName());
    System.out.println("  Protocol: " + fedInfo.getProtocol());
    System.out.println("  Path to SPS: " + fedInfo.getPathToSps());
    System.out.println("  Self Entity: {");
    dumpFederationEntityInfo(fedInfo.getSelf().getFederationEntityInfo());
    System.out.println("  }");
    FederationEntityInfoType[] partners = fedInfo.getPartners();
    System.out.println("  Number of partners: "
      + (partners == null ? 0 : partners.length));
    if (partners != null && partners.length > 0) {
      for (int i = 0; i < partners.length; i++) {
        System.out.println("  Partner[" + i + "]: {");
        dumpFederationEntityInfo(partners[i]);
        System.out.println("  }");
      }
    }
  }

  static void dumpFederationEntityInfo(FederationEntityInfoType fedEntityInfo) {
    System.out.println("    Display Name: "
      + fedEntityInfo.getDisplayName());
    System.out.println("    ProtocolId: " + fedEntityInfo.getProtocolId());
    System.out.println("    Role: " + fedEntityInfo.getRole());
    System.out.println("    Endpoints: {");
    EndpointType[] endpoints = fedEntityInfo.getEndpoints();
    if (endpoints != null && endpoints.length > 0) {

      for (int i = 0; i < endpoints.length; i++) {
        System.out.println("      Endpoint[" + endpoints[i].getType()
          + "]: {");
        dumpEndpoint(endpoints[i]);
        System.out.println("      }");
      }
    }
    System.out.println("    }");
}

  static void dumpEndpoint(EndpointType endpoint) {
    System.out.println("        Type: " + endpoint.getType());
    System.out.println("        Location: " + endpoint.getValue());
  }

  static void dumpFederatedUserInfoQueryResult(
    FederatedUserInfoQueryResultType fedUserQueryResult) {
    System.out.println("isFound: " + fedUserQueryResult.isFound());
    FederatedUserInfoType[] fedUsersInfo = fedUserQueryResult
      .getFederatedUserInfos();
    System.out.println("Number of Partners: " + fedUsersInfo.length);

    for (int i = 0; i < fedUsersInfo.length; i++) {
      String partnerId = fedUsersInfo[i].getPartnerId();
      System.out.println("  Partner[" + partnerId + "]: {");
      dumpFederatedUserInfo(fedUsersInfo[i]);
      System.out.println("  }");
    }
  }

  static void dumpFederatedUserInfo(FederatedUserInfoType fedUserInfo) {
    System.out.println("    IsFederated: " + fedUserInfo.isFederated());
    System.out.println("    Self Alias: " + fedUserInfo.getSelfAlias());
    System.out.println("    Partner Alias: "
      + fedUserInfo.getPartnerAlias());
    System.out.println("    Old Alias: " + fedUserInfo.getOldAlias());
  }

  static void dumpUserAliasInfoQueryResult(
    UserAliasInfoQueryResultType userAliasQueryResult) {

    UserAliasInfoType[] usersAliasInfo = userAliasQueryResult
      .getUserAliasInfos();
    System.out.println("Number of Partners: " + usersAliasInfo.length);

    for (int i = 0; i < usersAliasInfo.length; i++) {
      String partnerId = usersAliasInfo[i].getPartnerId();
      System.out.println("  Partner[" + partnerId + "]: {");
      dumpUserAliasInfo(usersAliasInfo[i]);
      System.out.println("  }");
    }
  }

  static void dumpUserAliasInfo(UserAliasInfoType userAliasInfo) {

    UserAliasListType[] ual = userAliasInfo.getAliasLists();
    for (int i = 0; i < ual.length; i++) {
      String type = ual[i].getType();
      String[] userAliases = ual[i].getUserAlias();
      if (type != null && userAliases != null &&
        userAliases.length > 0) {
        dumpUserAliasesOfType(type, userAliases);
      }
    }
  }

  static void dumpUserAliasesOfType(String type, String[] aliases) {
    if (aliases != null && aliases.length > 0) {
      System.out.print("    " + type + " Aliases: {");
      for (int i = 0; i < aliases.length; i++) {
        System.out.print(aliases[i]);
        if (i < aliases.length - 1) {
          System.out.print(", ");
        }
      }
      System.out.println("}");
    }
  }
}

Sample Application Output

The following listing contains the output from the sample application above. The server queried contains an OpenID service provider federation and the user simoncanning in the myfedctx partner contains at least the self alias selfAlias1. This user has multiple self and partner aliases.

Listing 2. Sample application output
 ************** FederationQueryResult *************
Number of FIM federations: 2
[OpenIdIdp]: {
  Id: uuidbdc0782f-011a-1106-af91-c2c4fd12f8eb
  Display Name: OpenIdIdp
  Protocol: OpenID
  Path to SPS: https://www.ibmidentitydemo.com/FIM/sps
  Self Entity: {
    Display Name: ibm
    ProtocolId: https://www.ibmidentitydemo.com/FIM/sps/OpenIdIdp/openid
    Role: ip
    Endpoints: {
      Endpoint[OPENID.IPSiteManagerEndpoint]: {
        Type: OPENID.IPSiteManagerEndpoint
        Location: https://www.ibmidentitydemo.com/FIM/sps/OpenIdIdp/openid/sites
      }
      Endpoint[OPENID.IPAuthnEndpoint]: {
        Type: OPENID.IPAuthnEndpoint
        Location: https://www.ibmidentitydemo.com/FIM/sps/OpenIdIdp/openid/authn
      }
      Endpoint[OPENID.IPSSOEndpoint]: {
        Type: OPENID.IPSSOEndpoint
        Location: https://www.ibmidentitydemo.com/FIM/sps/OpenIdIdp/openid/sso
      }
    }
  }
  Number of partners: 1
  Partner[0]: {
    Display Name: ibm
    ProtocolId: *
    Role: sp
    Endpoints: {
    }
  }
}
[OpenIdSp]: {
  Id: uuidba34a150-011b-1253-847b-8415768961ec
  Display Name: OpenIdSp
  Protocol: OpenID
  Path to SPS: https://www.ibmidentitydemo.com/FIM/sps
  Self Entity: {
    Display Name: IBM
    ProtocolId: https://www.ibmidentitydemo.com/FIM/sps/OpenIdSp/openid
    Role: sp
    Endpoints: {
      Endpoint[OPENID.SPLoginReturnEndpoint]: {
        Type: OPENID.SPLoginReturnEndpoint
        Location: https://www.ibmidentitydemo.com/FIM/sps/OpenIdSp/openid/loginreturn
      }
      Endpoint[OPENID.SPLoginEndpoint]: {
        Type: OPENID.SPLoginEndpoint
        Location: https://www.ibmidentitydemo.com/FIM/sps/OpenIdSp/openid/login
      }
    }
  }
  Number of partners: 1
  Partner[0]: {
    Display Name: IBM
    ProtocolId: *
    Role: ip
    Endpoints: {
    }
  }
}
 ************** End FederationQueryResult *************
 ************** FederatedUserInfoQueryResult *************
isFound: true
Number of Partners: 1
  Partner[myfedctx]: {
    IsFederated: true
    Self Alias: selfAlias1
    Partner Alias: partnerAlias1
    Old Alias: null
  }
 ************** End FederatedUserInfoQueryResult *************
 ************** UserAliasInfoQueryResult1 *************
Number of Partners: 1
  Partner[myfedctx]: {
    SELF Aliases: {selfAlias1, selfAlias2, selfAlias3}
  }
 ************** End UserAliasInfoQueryResult1 *************
 ************** UserAliasInfoQueryResult2 *************
Number of Partners: 1
  Partner[myfedctx]: {
    PARTNER Aliases: {partnerAlias1, partnerAlias2}
    SELF Aliases: {selfAlias1, selfAlias2}
  }
 ************** End UserAliasInfoQueryResult2 *************

The same federated user information found using the information service can be verified using the following ldapsearch command (provided you are using the LDAP alias service, and the LDAP root suffix of your alias service is cn=itfim): idsldapsearch -h localhost -p 389 -D cn=root -w password -b cn=itfim -s sub "(objectclass=*)"

The results illustrated in Listing 3 show the same data as returned in the call to the information service, as expected:

Listing 3. Alias Entries
 ...

secUUID=7b4ac8f1-011b-1572-8bdc-d4f18164cb57,cn=Users,cn=itfim
secUUID: 7b4ac8f1-011b-1572-8bdc-d4f18164cb57
secDn: cn=simoncanning, O=IBM,C=AU
objectclass: secUser
objectclass: cimManagedElement
objectclass: eUser
objectclass: top
secAuthority: itfim
secLoginType: Default:itfim
secPartnerAlias: myfedctx%partnerAlias1
secPartnerAlias: myfedctx%partnerAlias2
secSelfAlias: myfedctx%selfAlias1
secSelfAlias: myfedctx%selfAlias2
secSelfAlias: myfedctx%selfAlias3
 ...

Debug & Tracing

In order to debug and view messages from the Information Service, the TFIM server can be configured to output information service component trace messages. The trace string for the Information Service component is com.tivoli.am.fim.info.*.

Perform the following to configure the TFIM server to output the Information Service trace to the trace.log file.

  1. Login to the WebSphere Administrative Console.
  2. Expand Troubleshooting and select Logs and Trace.
  3. Click on the appropriate server for your TFIM Runtime environment.
  4. Click Change Log Detail Levels.
  5. Click the Runtime tab.
  6. In the components list add the trace string com.tivoli.am.fim.info.*=all.
  7. Click OK.

You can also utilize real-time tracing utilities like TCPMON to monitor requests and responses to and from the Information Service. Listing 4 shows an example of traced messages captured with TCPMON for the UserAliasInfoQuery2 test used in the example program (recall this test requested at most two aliases of all alias types):

Listing 4. TCPMON Trace of a UserAliasInfoQuery and Response
Request:

<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header/>
  <soapenv:Body>
    <p147:UserAliasInfoQuery xmlns:p147="urn:ibm:names:ITFIM:info:1.0"
        completeResultsLimit="2" userId="simoncanning">
      <PartnerIds>
        <PartnerId>myfedctx</PartnerId>
      </PartnerIds>
    </p147:UserAliasInfoQuery>
  </soapenv:Body>
</soapenv:Envelope>



Response:

<soapenv:Envelope xmlns:soapenc="http://schemas.xmlsoap.org/soap/encoding/"
    xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
    xmlns:xsd="http://www.w3.org/2001/XMLSchema"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
  <soapenv:Header/>
  <soapenv:Body>
    <p147:UserAliasInfoQueryResult xmlns:p147="urn:ibm:names:ITFIM:info:1.0">
      <UserAliasInfos>
        <UserAliasInfo partnerId="myfedctx">
          <AliasLists Type="PARTNER">
            <UserAlias>partnerAlias1</UserAlias>
            <UserAlias>partnerAlias2</UserAlias>
          </AliasLists>
          <AliasLists Type="SELF">
            <UserAlias>selfAlias1</UserAlias>
            <UserAlias>selfAlias2</UserAlias>
          </AliasLists>
        </UserAliasInfo>
      </UserAliasInfos>
    </p147:UserAliasInfoQueryResult>
  </soapenv:Body>
</soapenv:Envelope>

Conclusion

Tivoli Federated Identity Manager 6.2 contains a Web service interface which can be used to obtain federation, federated user and user alias information. This article has shown how to obtain the WSDL from within the TFIM environment and use it to generate a Web service client using Rational Application Developer. A sample application was also included which demonstrates how to use the newly generated Web service client. This application including source is available from the Downloads section.


Download

DescriptionNameSize
Example Information Service Client Application1com.tivoli.am.fim.infoservice.wsdl.clientEAR.zip183KB

Note

  1. If you download and import this EAR into a development environment, you will still need to manually add the IBM WebSphere and Eclipse JARS to the project as shown in Figure 7 as those files are not shipped with the example code.

Resources

Comments

developerWorks: Sign in

Required fields are indicated with an asterisk (*).


Need an IBM ID?
Forgot your IBM ID?


Forgot your password?
Change your password

By clicking Submit, you agree to the developerWorks terms of use.

 


The first time you sign into developerWorks, a profile is created for you. Information in your profile (your name, country/region, and company name) is displayed to the public and will accompany any content you post, unless you opt to hide your company name. You may update your IBM account at any time.

All information submitted is secure.

Choose your display name



The first time you sign in to developerWorks, a profile is created for you, so you need to choose a display name. Your display name accompanies the content you post on developerWorks.

Please choose a display name between 3-31 characters. Your display name must be unique in the developerWorks community and should not be your email address for privacy reasons.

Required fields are indicated with an asterisk (*).

(Must be between 3 – 31 characters.)

By clicking Submit, you agree to the developerWorks terms of use.

 


All information submitted is secure.

Dig deeper into Tivoli (service management) on developerWorks


static.content.url=http://www.ibm.com/developerworks/js/artrating/
SITE_ID=1
Zone=Tivoli (service management), Security, Tivoli
ArticleID=336628
ArticleTitle= Understanding the Tivoli Federated Identity Manager Information Service 6.2
publish-date=09182008