Constructing the XSLT rules file

Edit online

You can use the mapping module to define flexible rules that allow mapping of certificate attributes to a user identity. The user identity can be a Verify Identity Access user ID. For example, testuser. Alternatively, the user identity can be the user DN as found in the registry. For example, cn=testuser, o=ibm,c=au.

Upon receiving a user certificate, the module creates an XML document that lists all of its attributes. The XML document conforms to the Universal Management Infrastructure (UMI) XML document model. For example, the module could create a document that looks like this:

<?xml version="1.0" encoding='UTF-8'?>

<XMLUMI>
  <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser">
    <stsuuser:Principal>
      <stsuuser:Attribute name="name">
        <stsuuser:Value>
          CN=testuser,O=ibm,C=au
        </stsuuser:Value>
      </stsuuser:Attribute>
    </stsuuser:Principal>
    <stsuuser:AttributeList>
      <stsuuser:Attribute name="SubjectDN" type="urn:ibm:security:gskit">
        <stsuuser:Value>CN=testuser,O=ibm,C=au</stsuuser:Value>
      </stsuuser:Attribute>

      <stsuuser:Attribute name="IssuerDN" type="urn:ibm:security:gskit">
        <stsuuser:Value>CN=ca,O=ibm,C=au</stsuuser:Value>
      </stsuuser:Attribute>

      <stsuuser:Attribute name="ValidFromEx" type="urn:ibm:security:gskit">
        <stsuuser:Value>00:29:26 08-06-2009</stsuuser:Value>
      </stsuuser:Attribute>

     </stsuuser:AttributeList>
  </stsuuser:STSUniversalUser>
</XMLUMI>
The XSLT file defines how to transform the XML document. The result of the transformation must be in one of these forms:
  • !identifier!

    A Verify Identity Access user ID or user DN. This form is used when no registry search is required, such as when the identifier can be retrieved directly from the certificate.

  • !userreg base='baseDN' attr='attrName'! ldapSearchFilter !

    baseDN is the base distinguished name, attrName is the LDAP attribute name that corresponds to a user identity, and ldapSearchFilter is the LDAP search filter.

    This form is used when certificate information is used to search the registry for the corresponding user. You can also use the module with Active Directory.

  • !no-matching-rule!

    This form indicates that you cannot use any rule to find the required information to authenticate the user.

The following example is the cert-rules-template.txt file installed in the $WEBRTE_HOME/etc/ directory:
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" version="1.0">

    <!-- Required to constrain output of rule evaluation -->
    <xsl:output method="text" omit-xml-declaration="yes" encoding='UTF=8' 
indent="no"/>

    <!-- Need this to ensure default text node printing is off -->
    <xsl:template match="text()"></xsl:template>

    <!-- Let's make it easier by matching the constant part of our XML name -->
    <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:
AttributeList">
        !<xsl:value-of select="stsuuser:Attribute[@name='SubjectDN']/stsuuser:
Value"/>!
    </xsl:template>

</xsl:stylesheet>

This XSLT document transforms the UMI XML document created by the authentication module and outputs the subject DN of the certificate it receives between ! characters. For example, !cn=testuser,o=ibm,c=au!.

In this case, no user registry search is performed. This <xsl:output> element is required to indicate that text, not an XML document, is the output of the transformation.

This first <xsl:template> element ensures that any remaining text nodes in the document are not copied to the output.

The next example shows how to direct the mapping module to perform a user registry, for example, LDAP, search with data from the certificate. It extracts the value of the SubjectEmail attribute from the certificate and searches for a user with an LDAP mail attribute equal to this address.
The base DN for the search is o=ibm,c=au. The value of the cn attribute is printed in the output. In this case, the result will probably be a Verify Identity Access user ID, rather than a user DN.
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" 
xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser" version="1.0">

    <!-- Required to constrain output of rule evaluation -->
    <xsl:output method="text" omit-xml-declaration="yes" encoding='UTF=8' 
indent="no"/>

    <!-- Need this to ensure default text node printing is off -->
    <xsl:template match="text()"></xsl:template>

    <!-- Let's make it easier by matching the constant part of our XML name -->
    <xsl:template match="/XMLUMI/stsuuser:STSUniversalUser/stsuuser:
AttributeList">
        !userreg base='o=ibm,c=au' attr='cn'!(mail=<xsl:value-of 
				select="stsuuser:Attribute[@name='SubjectEmail']/stsuuser:
Value"/>)!
    </xsl:template>

</xsl:stylesheet>
Note: Because the & character is used in XML to demarcate the start of an entity, it cannot be used as is in the LDAP search filter. If an LDAP query contains multiple terms that need to be joined, the &amp; entity needs to be used instead.