Overview

The attribute retrieval service uses a special XML construct, known as a container, to retrieve and convey authorization decision information.

An ADI request is always made in the form of a container name. When a request for ADI (as a container name) is received by the attribute retrieval service, the container name is compared against all container names described in the Container Descriptor Table (ContainerDescriptorTable.xml). If a match is found, the process of retrieving the ADI can continue. Information in the container description reveals what ADI is required, where the ADI can be found, and what protocol must be used to communicate with the external provider of the ADI. The ADI, enclosed within opening and closing container name XML tags, is known as a container.

The attribute retrieval service generates a client that uses the necessary protocol to retrieve the ADI from the external provider. If the ADI must be retrieved using a protocol that is not provided by the current release of the attribute retrieval service (included with Verify Identity Access WebSEAL), then a custom protocol plug-in must be created.