Monday, January 25, 2010

Integrating Oracle Access Manager with Kerberos authentication with fallback to an HTML form

Seems like it's the month of Kerberos.

We often see customers wanting authenticate users to Oracle Access Manager (OAM) with Kerberos, and fall back to HTML forms if the Kerberos authentication fails. There's an easy way to set this up, but it's not obvious how to do it.

I'm just going to describe the flow here, but that should be enough to help you figure out how to do the actual knob turning yourself. If you run into trouble feel free to ask a question here.


  1. user accesses http://somemachine.mydomain.com/protected/
  2. OAM redirects the user to http://trustedmachine.mydomain.com/oamauthenticator/
  3. on trustedmachine the virtual directory /oamauthenticator/ is protected by IIS' built in Kerberos functionality, and only Kerberos. In other words you should uncheck the Basic, Digest and Anonymous checkboxes in the IIS console.
    If the user's workstation is in the domain and they are signed in then their identity will be passed to IIS via Kerberos. If the user's worksation is not in the domain or something goes wrong they will be presented with the 401 error page (see below)
  4. the OAM WebGate will consume the identity from IIS and pass that identity to the Access Server
  5. the OAM Access Server will search LDAP for the user
  6. once the user's OAM session has been established they will be redirected back to http://somemachine.mydomain.com/protected/ along with the ObSSO cookie.


alternative flow for workstations not in a domain or if Kerberos fails:
In step 3 if the Kerberos authentication fails IIS will send the HTML file configured as the 401 page

You can create a plain HTML page that

  • contains a conventional OAM login form - prompting the user for their username and password.
  • submits to an URL on trustedmachine
  • that URL will be associated with a conventional OAM HTML forms login authentication scheme


When the user fills in the form and hits submit:

  1. the credentials will be passed to the Access Server
  2. the Access Server will search LDAP for the user and bind to the directory to authenticate them
  3. if the credentials are correct the user will get an OAM session cookie
  4. the user will be redirected back to the original resource as in the normal flow above.


The only real trick here is using the custom error page in IIS. Remember that you have to use a plain HTML file for that file - you can't use an ASP/ASPX. That also means that you have to do anything dynamic in JavaScript.

Update: I fleshed this out some more in a newer post.

Friday, January 22, 2010

The Worlds Most Dangerous WebLogic Identity Asserter

...or how Josh stole my idea for a post in one paragraph.

In a recent post Josh said
There is another approach that, unfortunately, is rather common - use a Web Gate in front of WebLogic Server and use a very weak identity asserter or no SSPI connector at all.


I'd started writing this post before Josh wrote that and figured I'd post this anyway in hopes that my longer and more detailed write up is helpful to someone unfamiliar with what all of the terms and acronyms mean.

WebLogic Server includes a great security framework that provides five services - authentication, role mapping, authorization, auditing, credential mapping. There's also a sixth service called adjudication that kicks in if you have more than one authorization provider, but that's a story for another day. Out of the box WebLogic ships with a bunch of providers for each of those services.

The authentication service/interface does exactly what you'd think - takes a set of credentials, verifies them, and allows WebLogic to create a JAAS subject and principals for the user. Out of the box credentials are things like username and password against an LDAP directory. The ability to assert a user's identity without having their actual password, for example via a certificate, is also supported; in that case the authenticator is called an Identity Asserter.

So what is the worlds most dangerous identity asserter?

To answer that you have to understand the typical WebLogic deployment architecture. The recommended way to deploy WebLogic is to deploy a load balancer, two or more web servers (Apache, OHS, IIS) with the WebLogic plug-in, and then two or more WebLogic servers. Here's a diagram:

This architecture allows you to do a bunch of very useful things - gracefully handling single component failure, load balance across the components, scale up more or less linearly by adding additional WLS servers, and more.

Enterprise deployments also typically involve integrating with web single sign-on solutions like Oracle Access Manager (OAM), SiteMinder, or even Microsoft's Kerberos implementation included in Windows.

When you do the authentication at the web tier you need to convey the user's identity over to WebLogic and install in an Identity Asserter to populate the JAAS subject and principals. When you're doing authentication on the web server the most obvious way to write an Identity Asserter is to just consume the username HTTP header - after all the web server already did the authentication why bother doing anything more?

Why? Because if anyone manages to sneak by your web server they can impersonate any user in your user directory. Combine that with the commonly quoted statistic that two-thirds of security breaches are internal rather than from a hacker on the outside.

Let the implications of that sink in for a second...

Assuming you did everything else right in your app and environment your biggest risk is a bad guy inside your network. If you write an Identity Asserter that just blindly trusts an HTTP header you'd better be sure to do something to protect the WebLogic server.

I recently encountered a customer that wanted to authenticate their users with Kerberos authentication at IIS rather than inside WebLogic. They could have done the authentication in WebLogic with the SPNEGO authenticator but, for a variety of reasons, doing the authentication in IIS was a better fit for their environment. We wrote a very simple Identity Asserter that consumed the Proxy-Remote-User HTTP header, stripped off the Windows domain name and asserted the remainder as the username.

How do you protect the WebLogic Server in this architecture?

There are really two options:

  1. two-way SSL between the web server and WebLogic Server
  2. firewalling


Two-way SSL between the web server and WebLogic Server both protects the data sent by encrypting it but also prevents access to the WebLogic Server from any client that doesn't have an appropriate client certificate. The actual steps are covered in the documentation for the ISAPI plug-in for IIS and for the Apache module. Using SSL requires certificates and imparts a performance impact, the magnitude of the impact depends on the environment so we always recommend testing.

An alternative to using two-way SSL is to use a firewall to protect the WebLogic Server. You can use a network based firewall, the traffic filtering functionality built into your host Operating System, or WebLogic Network Connection Filters. No matter which of these you opt to use the objective is to insure that any HTTP traffic coming into the WLS server orignated at one of the Web Servers and not from somewhere else in your environment.


Update November 2010: Due to popular demand the source code to this Identity Asserter is available at https://sample-identity-asserters.samplecode.oracle.com/

OES discovery mode

How do you enable Discovery Mode in Oracle Entitlements Server?

from the documentation:

The ASI Authorization and ASI Role Mapping providers support a Discovery mode that helps make this task easier. Typically, these providers answer questions about security, but when in Discovery mode, the providers record information about those questions to build your policy (for example, what privileges and resources must be granted to view a particular web page).

To use Discovery mode, you must modify the command line that starts your Security Service Module by adding the following system properties:

com.bea.security.providers.authorization.asi.AuthorizationProviderImpl.discoverymode=true
com.bea.security.providers.authorization.asi.RoleProviderImpl.discoverymode=true

More information about discovery mode is in the ALES 3.0 documentation

Thursday, January 21, 2010

Topic of 2010: Policy Lifecycle Management

2009 was the year of “security for the cloud”. No doubt people will keep beating that horse well into this decade. If you are looking for some very good and practical thoughts on the subject, Josh wrote a very good post on Fusion Middleware Security, multi-tenancy, and a WLS based platform as a service. You can find it here: http://fusionsecurity.blogspot.com/2009/11/cloud-security-for-paas-and-saas-use.html.

So, with that being said I’m here to declare to you that “Policy Lifecycle Management” is the security topic for 2010. So, what exactly do I mean?

Application are increasingly externalizing more and more of their security related functionality away from application code and into specialized tools and the middleware platforms they are built on. In general this is a great trend with many benefits. However, this has led to the proliferation of a whole set of various security policies in an applications platform that have to be maintained and kept in sync with the application itself as the application changes and migrates through its own lifecycle.

For applications built on Fusion Middleware you potentially have:

1) JSF Policies (JAVA security)
2) OAM Policies (web access)
3) OWSM and/or WLS WS Policies (web services security)
4) OES Policies (entitlements and authorization)
5) OAAM Policies (authentication and fraud detection)

This is just off the top of my head, I’m sure there might be more.

All these policies have to stay in sync with the applications they are supporting as the applications move through their own lifecycle of being built, being changed, being tested, moving through different deployment environments (Dev, QA, staging, production) etc.
Increasingly this is an area of challenge that the largest and best shops are dealing with. So, if that includes you, don’t feel bad, you’re in good company :)

Wednesday, January 20, 2010

Integrating Oracle Access Manager (OAM) with WebLogic Server (WLS) - Different Versions and Architectures

A very common decision confronted by customer is how to integrate WebLogic Server with their Oracle Access Manager (OAM). The main question here is "Identity Assertion vs. Authentication". An identity can be established in WebLogic Server two ways - by providing credentials (authentication) or by providing a token (identity assertion). If you're authenticating with OAM via WLS directly, then you don't need to install a WebGate in a WebServer protecting WebLogic Server (or have a Web Server at all). If you're doing Identity Assertion, then you do need a Web Gate in a Web Server, since that component will generate the ObSSO cookie that will be consumed (asserted) inside of WebLogic Server.

The specifics of the each of these scenarios varies slightly between Oracle Access Manager 10.1.4.2 and 10.1.4.3. In OAM 10.1.4.2, the authentication scenario is referred to as Authentication for Mixed Web and Non-Web Resources. This some what confusing name does underscore an important point. WebLogic Server has a single set of providers for all resource types, so if you have other clients (ejb/rmi) that need to authenticate, their credentials will also be validated against OAM. It's also worth noting that in 10.1.4.2, the user will get an OBSSOCookie which can be used to perform SSO with other OAM WebGates. In the 10.1.4.3 OAM+WLS integration, called Configuring Single Sign-On in Oracle Fusion Middleware - Deploying the Oracle Access Management Solution, the user will get only a JSESSIONID cookie - the WebLogic Server cookie.

The identity assertion scenarios are also slightly different. In 10.1.4.2, the Identity Assertion scenario called Authentication for Web Only Resources, the OAM SSPI authentication provider is used to retrieve the groups from LDAP. This is a call from WLS to the access server and then from the access server to LDAP. In 10.1.4.3, Configuring the Oracle Access Manager Identity Asserter for Single Sign On, you can use any WLS Authentication Provider to work with the assertion (OBSSOCookie) from OAM. The most common configuration is to pair the OAMIdentityAsserter with the OID Authentication Provider. The difference here is that the call to validate the user and retrieve their groups goes from WLS to LDAP directly - not through OAM. There are pros and cons to both. The advantage of the 10.1.4.2 architecture is that the connectivity to LDAP is funneled through OAM, so WLS instances can share LDAP more efficiently. The downside is that this requires an extra network hop, and extra configuration.

There is another approach that, unfortunately, is rather common - use a Web Gate in front of WebLogic Server and use a very weak identity asserter or no SSPI connector at all. In this model, applications or the identity asserter is most likely directly reading the REMOTE_USER header. Its definitely not a best practice to trust a clear-text username to establish identity. The exposure is that someone with knowledge of the solution can easily impersonate the identity of any user if they know their username. There are a number of ways to mitigate this risk like using a WebLogic Server connection filter or running WLS on the same machine as the WebGate and only configuring WebLogic server to listen on the loopback address. This approach may not make sense if the whole purpose of the web-server is to provide defense in depth by moving WLS behind a firewall.

Finally, in the analysis of which approach and which version of OAM SSPI connector to use, its worth noting that 10.1.4.3 is all Java, and runs on "All Weblogic Application Server 10.3.1.x supported platforms". My basic approach is that the 10.1.4.3 integration is simpler and more aligned with the way that most customers use WLS and OAM together. I would look at 10.1.4.3, IdentityAssertion with the WebGate as the 1st best option.

Wednesday, January 6, 2010

Oracle Entitlement Server (OES) Web Services SM Demystified

First of all - Happy New Decade - and welcome to the future!

Now, after some well deserved time off, back to it. I was recently visiting with a customer and they asked me for the WSDL associated with the Web Services SM for OES. Seems like a simple request, but what I quickly figured out was that there is no really simple way to get the WSDL (navigating to http://mywssm:8555/someservicename?WSDL). Simpler is definitely better, so this post is not a full-throated defense of how the WebServices SM works, but rather an opportunity to discuss some of the features of the OES client libraries and the PDPProxy specifically. For those who just want to see the WSDL, here it is. I've also included the schema, here. They can also be found in SSM_HOME/webservice-ssm/instance/instancename/config.

Three different SMs - One API - PDP Proxy


There are many different Security Modules (SM) that OES supports but they essentially fall into two categories - centralized or embedded. In the centralized model, applications are making remote calls out to the actual SM service running centrally. OES supports two protocols for centralized SMs - SOAP and RMI. These are affectionately reffered to as the WebServices SM and the RMI SM. In the embededded model, application make calls to the services OES and the authorization enginer is co-located (runs in the same Java process) as the application. This is the Java SM (though when running inside of WLS its called the WLS SM or in WebSphere the WebSphere SM etc.).

When deploying OES into Java applications, you may not know up-front which of the 3 main types of SMs make sense. Initially, you may want to use the WebServices SM because SOAP is a standard and works nicely with the rest of the SOA infrastructure. You may then move to the RMI SM because you need a binary protocol to meet performance requirements. Finally, to get maximium performance, you move to the embedded model and the Java SM. This evolution of SM deployment is natural and to be expected. What would be unatural and unexpected is to have to recode the application just because you were choosing a different SM deployment model. This is the driving thought behind the single Java API.

This is from the SSM_HOME/webservice-ssm/examples/JavaAPIExample/src/java\com\bea\security\examples\JavaAPIExample.java


protected static SecurityRuntime initializeSSM(String configId) {
SecurityRuntime rt = null;

// Initialize this applications configuration
System.out.print("Initializing the Security Runtime ... ");
AppConfig cfg = new AppConfig("Java API Example Application");

cfg.useConfiguration(configId);

// Add this application naming definitions to the config
try {
cfg.addNameAuthorityDefinitionFile("exampleNames.xml");
} catch (FileNotFoundException fnfExc) {
System.out.println(fnfExc.getLocalizedMessage());
return rt;
}

// Initialize the security runtime
try {
SecurityRuntime.initialize(cfg);
} catch (ParameterException pExc) {
// We could not get the policy domain
System.out.println(pExc.getLocalizedMessage());
return rt;
}
catch (Throwable e) {
e.printStackTrace();
return rt;
}

// Get an instance of the runtime
rt = SecurityRuntime.getInstance();
System.out.println("Initialized");

return rt;
}

protected static PolicyDomain tryGetPolicyDomain(SecurityRuntime rt, String configId) {
PolicyDomain pd = null;

try {
pd = rt.getPolicyDomain(configId);
System.out.println("Retrieved Policy Domain");
} catch (ParameterException pExc) {
// We could not get the policy domain
System.out.println(pExc.getLocalizedMessage());
}

return pd;
}

protected static AuthenticationService tryGetAuthenticationService(PolicyDomain pd) {
AuthenticationService atnSvc = null;

try {
atnSvc = (AuthenticationService)pd.getService(ServiceType.AUTHENTICATION);
System.out.println("Retrieved Authentication Service");
} catch (ServiceNotAvailableException naExc) {
// We could not fetch the service
System.out.println(naExc.getLocalizedMessage());
}
return atnSvc;
}

protected static AuthorizationService tryGetAuthorizationService(PolicyDomain pd) {
AuthorizationService atzSvc = null;

try {
atzSvc = (AuthorizationService) pd.getService(ServiceType.AUTHORIZATION);
System.out.println("Retrieved Authorization Service");
} catch (ServiceNotAvailableException naExc) {
// We could not fetch the service
System.out.println(naExc.getLocalizedMessage());
}
return atzSvc;
}



So, the idea is that the SM is just a collection of services - authentication, authorization, roles, audit, credential mapping. These services are accessible from a named configuration called a PolicyDomain. You can see more details of the Java API from the product documentation.. What is interesting is that if you examined the JavaAPIExample from SSM_HOME/java-ssm/examples/JavaAPIExample/src/java\com\bea\security\examples\JavaAPIExample.java, you would see the exact same code. From an API perspective, the type of SM (embedded or centralized) or the protocol (SOAP or RMI) is completely encapsulated.

All of this "magic" is done via what is called the PDPProxy configuration. When an instance of the SM is created with the ConfigTool, a directory is created SSM_HOME/SSM_TYPE/instance/instance-name/config/pdpproxy. In this directory is all of the information (libraries and config), that a client needs to communicate with the SM. At runtime, the Java API looks for a system property -Dpdp.configuration.properties.location to point it to the correct config.


The specific libraries will vary depending on the SM type (axis SOAP library is used for Web Service SM). There is a common configuration file called PDPProxyConfiguration.properties.

# SSM configuration id
SSMConfigID=dt

# Transport indicates underlying transport
# to be used to communicate with the PDP - JAVA / WS / RMI
PDPTransport=WS

# Comma separated list of PDP host & port information.
# For example this could be end point URLs could be,
# http://localhost:9200, or https://localhost:9200
PDPAddress=http://oamwindows:8225

There is more in the file, but this gives the general idea. You can change the PDPTransport and in the case of web-service SM, you define the URL.

Details on the Web Service SM


The basic API pattern is to get a named PolicyDomain and then access the services as needed. The question is, how do you apply this pattern to WebServices? Instead of simply listing each SOAP endpoint in a WSDL, OES uses the concept of the ServiceRegistry. This is basically a service that a client can call to get the location of the other services. With that information in hand, access to the underlying services - authentication, authorization, etc is pretty straight forward. I've included the SOAP Request/Response for the ServiceRegistry which is located at http://WS SM URL/ServiceRegistry.

Service Registry Request


<?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><soapenv:Body><locateService xmlns="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd"><ServiceType>ALES_AUTHORIZATION</ServiceType><SsmId>dt</SsmId></locateService></soapenv:Body></soapenv:Envelope>

Service Registry Response


<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Body>
<locateServiceResponse xmlns="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd">
<locateServiceResponse>http://oamwindows:8225/Authorization</locateServiceResponse>
</locateServiceResponse>
</soapenv:Body>
</soapenv:Envelope>

Is this better that just exposing ?WSDL


Personally, I'm not a big fan of "discoverable" security services. For example, I don't like the idea of adding XACML to WS-Policy and making it readily available. Interoperability of WS-Policy as people know from reading this blog is a sore topic for me. In general, I'm OK with a little security by obscurity in this case. Also, in the context of the overall strategy of OES to simplify access via a single Java API, I think this is a good idea, and is in fact easier then using your own tooling to write a SOAP client. And finally, since this pattern is not obvious, OES does certify and provide its own clients for common platforms like MSFT .net.


Reference: WSDL and Schema for Web Services SM


SSM-SOAPWS.wsdl



<?xml version="1.0" encoding="UTF-8"?>

<wsdl:definitions

name="SSM-SOAP-WebService"

targetNamespace="http://security.bea.com/ssmws/ssm-ws-1.0.wsdl"

xmlns="http://www.w3.org/2001/XMLSchema"

xmlns:soap="http://schemas.xmlsoap.org/wsdl/soap/"

xmlns:ssm="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd"

xmlns:tns="http://security.bea.com/ssmws/ssm-ws-1.0.wsdl"

xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/"

xmlns:xsd="http://www.w3.org/2001/XMLSchema">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines SOAP WebService public interface for SSM component.</wsdl:documentation>



<!-- WSDL Types Section -->

<wsdl:types>



<xsd:import namespace="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd" schemaLocation="ssm-soap-types.xsd"/>



</wsdl:types>



<!-- WSDL Messages Section -->



<wsdl:message name="serviceFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports a generic server-side error.</wsdl:documentation>

<wsdl:part element="ssm:serviceFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Generic error information</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="authenticationFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports an authentication error.</wsdl:documentation>

<wsdl:part element="ssm:authenticationFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authentication error information.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="authorizationFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports an authorization error.</wsdl:documentation>

<wsdl:part element="ssm:authorizationFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization error information.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="credentialMappingFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports a credential mapping error.</wsdl:documentation>

<wsdl:part element="ssm:credentialMappingFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Credential mapping error information.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="roleMappingFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports a role mapping error.</wsdl:documentation>

<wsdl:part element="ssm:roleMappingFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Role mapping error information.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="auditingFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports an auduting error.</wsdl:documentation>

<wsdl:part element="ssm:auditingFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Auditing error information.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="registryFault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Reports a registry error.</wsdl:documentation>

<wsdl:part element="ssm:registryFailure" name="fault">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Registry error information.</wsdl:documentation>

</wsdl:part>

</wsdl:message>



<wsdl:message name="authenticateRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to authenticate a user. Accepts any credential type supported by the authentication provider or a response to an earlier authentication challenge, and, optionally, the type of requested identity assertion that represents the identity and application context of the authenticated user.</wsdl:documentation>

<wsdl:part element="ssm:authenticate" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for authenticate operation</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="authenticateResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user's authentication. Returns either the requested identity assertion token, an authentication challenge, or additional context requests, if a challenge is required by the specific authentication provider or the authentication protocol.</wsdl:documentation>

<wsdl:part element="ssm:authenticateResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies authentication response</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="assertIdentityRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to assert user's identity. Accepts any supported identity assertion type or a response to an earlier authentication challenge, and, optionally, the type of requested identity assertion that represents the identity and application context of the authenticated user.</wsdl:documentation>

<wsdl:part element="ssm:assertIdentity" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for assertIdentity operation</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="assertIdentityResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user's authentication. Returns either the requested identity assertion token, an authentication challenge, or additional context requests, if required by the specific authentication provider or the authentication protocol.</wsdl:documentation>

<wsdl:part element="ssm:assertIdentityResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies authentication response</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getServiceTypeRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to get service type. Takes an empty request.</wsdl:documentation>

<wsdl:part element="ssm:getServiceType" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for getServiceType operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getServiceTypeResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response containing service's type. Returns a structure that contains the service. The Web Services SSM supports five security service types: authentication, auditing, authorization, credential mapping, and role mapping.</wsdl:documentation>

<wsdl:part element="ssm:getServiceTypeResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains the service type.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getVersionRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to get service version. Takes an empty request.</wsdl:documentation>

<wsdl:part element="ssm:getVersion" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the getVersion operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getVersionResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response containing service version. Returns a structure that contains the version of the service.</wsdl:documentation>

<wsdl:part element="ssm:getVersionResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains the service version.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAssertionTokenSupportedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to check for of the assertion token type. Accepts the token type of the identity assertion token that represents the identity of the authenticated user.</wsdl:documentation>

<wsdl:part element="ssm:isAssertionTokenSupported" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the isAssertionTokenSupported operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAssertionTokenSupportedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response about assertion token support. Returns a Boolean value (true or false) to indicate whether this token is supported by this instance of the Security Service Module.</wsdl:documentation>

<wsdl:part element="ssm:isAssertionTokenSupportedResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Indicates whether an token type is supported.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isCompatibleRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to check service compatibility. Accepts service version information. You use this method to determine whether the version of the service interface specified in the web services client is compatible with the current version of the service interface in the instance of the Security Service Module.</wsdl:documentation>

<wsdl:part element="ssm:isCompatible" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the isCompatible operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isCompatibleResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response about service compatibility. Returns compatibility information.</wsdl:documentation>

<wsdl:part element="ssm:isCompatibleResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Specifies service's compatibility.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="validateIdentityRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to verify assertion token. Accepts any supported identity assertion type that represents the identity of the authenticated user.</wsdl:documentation>

<wsdl:part element="ssm:validateIdentity" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for validateIdentity operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="validateIdentityResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response about assertion token validity. Returns a structure with a Boolean value (true or false) that indicates the authenticity of the token.</wsdl:documentation>

<wsdl:part element="ssm:validateIdentityResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Specifies assertion token's validity.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAccessAllowedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to authorize user access. Accepts a supported type of an identity assertion token, and a runtime resource and action structures. Optionally, it can accept type of the requested identity assertion token, (representing the authenticated user's identity), application context, and authorization direction parameters.</wsdl:documentation>

<wsdl:part element="ssm:isAccessAllowed" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the isAccessAllowed operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAccessAllowedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user authorization. Returns the authorization decision (optionally accompanied by the time-to-live (TTL) value), an identity Assertion token, and a list of user roles, or, if required by the authorization provider, additional context requests.</wsdl:documentation>

<wsdl:part element="ssm:isAccessAllowedResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies authorization response.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAccessAllowedDebugRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug request to authorize user access. Accepts a supported type of an identity assertion token, and a runtime resource and action structures. Optionally, it can accept type of the requested identity assertion token, (representing the authenticated user's identity), application context.</wsdl:documentation>

<wsdl:part element="ssm:isAccessAllowedDebug" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the isAccessAllowed_Debug operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAccessAllowedDebugResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug response from user authorization. Returns the authorization decision, evaluation debug information, (optionally accompanied by the time-to-live (TTL) value), an identity Assertion token, and a list of user roles, or, if required by the authorization provider, additional context requests.</wsdl:documentation>

<wsdl:part element="ssm:isAccessAllowedDebugResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies debug authorization response.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getRolesDebugRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug request for user roles. Accepts a supported type of an identity token, and, optionally, runtime resource and action structures and an application context.</wsdl:documentation>

<wsdl:part element="ssm:getRolesDebug" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for getRoles operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getRolesDebugResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug response with user roles. Returns either a list of user roles associated for the identity or, if such is required by the Role Mapping provider, additional context requests and evaluation debug information. If the identity provided is invalid or not properly authenticated, this method returns a SOAP fault.</wsdl:documentation>

<wsdl:part element="ssm:getRolesDebugResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains the requested user roles.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isBulkAccessAllowedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to bulk authorize user access. Accepts a supported type of an identity assertion token, and a list of runtime resource and action structures. Optionally, it can accept type of the requested identity assertion token, (representing the authenticated user's identity), application context, and authorization direction parameters.</wsdl:documentation>

<wsdl:part element="ssm:isBulkAccessAllowed" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the isBulkAccessAllowed operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isBulkAccessAllowedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user authorization. Returns a list of the following information, the authorization decision (optionally accompanied by the time-to-live (TTL) value), an identity Assertion token, and a list of user roles, or, if required by the authorization provider, additional context requests.</wsdl:documentation>

<wsdl:part element="ssm:isBulkAccessAllowedResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies bulk authorization response.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isChildResourceAccessAllowedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to bulk authorize (child resources) user access. Accepts a supported type of an identity assertion token, and a runtime resource and action structures. Optionally, it can accept type of the requested identity assertion token, (representing the authenticated user's identity), application context, and authorization direction parameters.</wsdl:documentation>

<wsdl:part element="ssm:isChildResourceAccessAllowed" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the isChildResourceAccessAllowed operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isChildResourceAccessAllowedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user authorization. Returns a list of the following information, authorization decision (optionally accompanied by the time-to-live (TTL) value), an identity Assertion token, and a list of user roles, or, if required by the authorization provider, additional context requests.</wsdl:documentation>

<wsdl:part element="ssm:isChildResourceAccessAllowedResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies bulk authorization (child resources) response.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="queryActionsOnResourceRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to query actions on resource. Accepts a supported type of an identity assertion token, and a runtime resource. Optionally, it can accept requested actions, application context parameters.</wsdl:documentation>

<wsdl:part element="ssm:queryActionsOnResource" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the queryActionsOnResource operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="queryActionsOnResourceResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user authorization. Returns the allowed and denied actions</wsdl:documentation>

<wsdl:part element="ssm:queryActionsOnResourceResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies query actions on resource response.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="queryActionsOnChildResourceRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to query actions on resource clipping node and all child resource nodes. Accepts a supported type of an identity assertion token, and a runtime resource clipping node. Optionally, it can accept requested actions, application context parameters.</wsdl:documentation>

<wsdl:part element="ssm:queryActionsOnChildResource" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the queryActionsOnChildResource operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="queryActionsOnChildResourceResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response from user authorization. Returns the allowed and denied actions for the resource and the children of that resource</wsdl:documentation>

<wsdl:part element="ssm:queryActionsOnChildResourceResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies response for query actions on resource clipping node and all child resource nodes.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAuthenticationRequiredRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to check whether a resource is protected. Accepts a runtime resource and a runtime action.</wsdl:documentation>

<wsdl:part element="ssm:isAuthenticationRequired" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for isAuthenticationRequired operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="isAuthenticationRequiredResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response whether authentication is required. Returns a Boolean value (true or false) that indicates whether authentication is require to access this resource. The web services client uses this method to test whether privileges are required to access a particular resource.</wsdl:documentation>

<wsdl:part element="ssm:isAuthenticationRequiredResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Identifies authentication requirements for a resource.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getCredentialsRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for credentials mapping. Accepts a supported type of an identity assertion token and a list of requested credential types. Optionally, this method can accept an identity assertion token that represents the identity of a different user and a runtime resource structure, which includes the requested resource and action and the application context.</wsdl:documentation>

<wsdl:part element="ssm:getCredentials" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for the getCredentials operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getCredentialsResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with requested credentials. Returns either a list of requested user credentials, identity assertion tokens, or, if required by the ALES Credential Mapping provider, context requests.</wsdl:documentation>

<wsdl:part element="ssm:getCredentialsResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains the requested user credentials.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getRolesRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for user roles. Accepts a supported type of an identity token, and, optionally, runtime resource and action structures and an application context.</wsdl:documentation>

<wsdl:part element="ssm:getRoles" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for getRoles operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getRolesResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with user roles. Returns either a list of user roles associated for the identity or, if such is required by the Role Mapping provider, additional context requests. If the identity provided is invalid or not properly authenticated, this method returns a SOAP fault.</wsdl:documentation>

<wsdl:part element="ssm:getRolesResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains the requested user roles.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="recordEventRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to record auditing message. Accepts an audit record, and, optionally, an identity assertion token, representing the auditing user, and an application context. Returns either an empty response or, if required by the provider, additional context requests.</wsdl:documentation>

<wsdl:part element="ssm:recordEvent" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for recordEvent operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="recordEventResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Returns a Boolean value (true or false) confirming recording an audit event.</wsdl:documentation>

<wsdl:part element="ssm:recordEventResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains True or false.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="locateServiceRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service URL. Accepts the requested service type and SSM Configuration ID of the Web Services SSM that provides the service.</wsdl:documentation>

<wsdl:part element="ssm:locateService" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for locateService operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="locateServiceResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with service's URL. Returns the fully qualified URL for the endpoint of the requested service.</wsdl:documentation>

<wsdl:part element="ssm:locateServiceResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains requested service's URL.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="doesServiceExistRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to check the existence of the service. Accepts the requested service type and SSM Configuration ID of the Web Services Security Service Module that provides the service.</wsdl:documentation>

<wsdl:part element="ssm:doesServiceExist" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input parameters for doesServiceExist operation.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="doesServiceExistResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response inidicating whether the service exists. Returns a Boolean value (true or false) that indicates whether the service exists and can be requested.</wsdl:documentation>

<wsdl:part element="ssm:doesServiceExistResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Contains True or false.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getParameterValueRequest">

<wsdl:part element="ssm:getParameterValue" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Name of the requested parameter.</wsdl:documentation>

</wsdl:part>

</wsdl:message>

<wsdl:message name="getParameterValueResponse">

<wsdl:part element="ssm:getParameterValueResponse" name="parameters">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">The requested parameter value.</wsdl:documentation>

</wsdl:part>

</wsdl:message>



<!-- WSDL Ports Section -->



<wsdl:portType name="AuthenticationPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines authentication operations.</wsdl:documentation>

<wsdl:operation name="authenticate">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the authentication method.</wsdl:documentation>

<wsdl:input message="tns:authenticateRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authentication request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:authenticateResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authentication response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authenticationFault" message="tns:authenticationFault" />

</wsdl:operation>

<wsdl:operation name="assertIdentity">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the identity assertion method.</wsdl:documentation>

<wsdl:input message="tns:assertIdentityRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Assertion request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:assertIdentityResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Assertion response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authenticationFault" message="tns:authenticationFault" />

</wsdl:operation>

<wsdl:operation name="isAssertionTokenSupported">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether an assertion token type is supported.</wsdl:documentation>

<wsdl:input message="tns:isAssertionTokenSupportedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for support check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isAssertionTokenSupportedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating token type support.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authenticationFault" message="tns:authenticationFault" />

</wsdl:operation>

<wsdl:operation name="validateIdentity">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Validates identity token.</wsdl:documentation>

<wsdl:input message="tns:validateIdentityRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for validating identity token.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:validateIdentityResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating token validity.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service type.</wsdl:documentation>

<wsdl:input message="tns:getServiceTypeRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service type.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getServiceTypeResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with service type.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service version.</wsdl:documentation>

<wsdl:input message="tns:getVersionRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service version.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getVersionResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with service version.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether the service version is compatible.</wsdl:documentation>

<wsdl:input message="tns:isCompatibleRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for compatibility check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isCompatibleResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating compatibility.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

</wsdl:portType>

<wsdl:portType name="AuthorizationPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines authorization operations.</wsdl:documentation>

<wsdl:operation name="isAccessAllowed">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the access control method.</wsdl:documentation>

<wsdl:input message="tns:isAccessAllowedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isAccessAllowedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

<wsdl:operation name="isAccessAllowed_Debug">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the debug access control method.</wsdl:documentation>

<wsdl:input message="tns:isAccessAllowedDebugRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug Authorization request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isAccessAllowedDebugResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug Authorization response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

<wsdl:operation name="isBulkAccessAllowed">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the access control method.</wsdl:documentation>

<wsdl:input message="tns:isBulkAccessAllowedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isBulkAccessAllowedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

<wsdl:operation name="isChildResourceAccessAllowed">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the access control method.</wsdl:documentation>

<wsdl:input message="tns:isChildResourceAccessAllowedRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isChildResourceAccessAllowedResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Authorization response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

<wsdl:operation name="isAuthenticationRequired">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether authentication is required on a resource.</wsdl:documentation>

<wsdl:input message="tns:isAuthenticationRequiredRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request to check resource protection.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isAuthenticationRequiredResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating whether a resource is protected.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service type.</wsdl:documentation>

<wsdl:input message="tns:getServiceTypeRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service type.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getServiceTypeResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with service type.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service version.</wsdl:documentation>

<wsdl:input message="tns:getVersionRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service version.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getVersionResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with service version.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether the service version is compatible.</wsdl:documentation>

<wsdl:input message="tns:isCompatibleRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for compatibility check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isCompatibleResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating compatibility.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="queryActionsOnResource">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the query actions on resource method.</wsdl:documentation>

<wsdl:input message="tns:queryActionsOnResourceRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Query actions on resource request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:queryActionsOnResourceResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Query actions on resource response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

<wsdl:operation name="queryActionsOnChildResource">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the query actions on child resource method.</wsdl:documentation>

<wsdl:input message="tns:queryActionsOnChildResourceRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Query actions on child resource request input.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:queryActionsOnChildResourceResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Query actions on child resource response result.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="authorizationFault" message="tns:authorizationFault" />

</wsdl:operation>

</wsdl:portType>

<wsdl:portType name="CredentialMappingPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines credential mapping operations.</wsdl:documentation>

<wsdl:operation name="getCredentials">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the method for mapping credentials.</wsdl:documentation>

<wsdl:input message="tns:getCredentialsRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for credentials maping.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getCredentialsResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Credential mapping results.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="credentialMappingFault" message="tns:credentialMappingFault" />

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service type.</wsdl:documentation>

<wsdl:input message="tns:getServiceTypeRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service type.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getServiceTypeResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with service type.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service version.</wsdl:documentation>

<wsdl:input message="tns:getVersionRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for the service version.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getVersionResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with the service version.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether the service version is compatible.</wsdl:documentation>

<wsdl:input message="tns:isCompatibleRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for compatibility check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isCompatibleResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating compatibility.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

</wsdl:portType>

<wsdl:portType name="RoleMappingPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the role mapping operations.</wsdl:documentation>

<wsdl:operation name="getRoles">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the method for mapping roles.</wsdl:documentation>

<wsdl:input message="tns:getRolesRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for roles maping.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getRolesResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Role mapping results.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="roleMappingFault" message="tns:roleMappingFault" />

</wsdl:operation>

<wsdl:operation name="getRoles_Debug">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the debug method for mapping roles.</wsdl:documentation>

<wsdl:input message="tns:getRolesDebugRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for debug roles maping.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getRolesDebugResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Debug role mapping results.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="roleMappingFault" message="tns:roleMappingFault" />

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service type.</wsdl:documentation>

<wsdl:input message="tns:getServiceTypeRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for the service type.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getServiceTypeResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with the service type.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service version.</wsdl:documentation>

<wsdl:input message="tns:getVersionRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for the service version.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getVersionResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with the service version.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether the service version is compatible.</wsdl:documentation>

<wsdl:input message="tns:isCompatibleRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for compatibility check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isCompatibleResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating compatibility.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

</wsdl:portType>

<wsdl:portType name="AuditingPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines auditing operations.</wsdl:documentation>

<wsdl:operation name="recordEvent">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the method for recording an audit event.</wsdl:documentation>

<wsdl:input message="tns:recordEventRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input for recording an audit event.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:recordEventResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with true or false.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="auditingFault" message="tns:auditingFault" />

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service type.</wsdl:documentation>

<wsdl:input message="tns:getServiceTypeRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for the service type.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getServiceTypeResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with the service type.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains the service version.</wsdl:documentation>

<wsdl:input message="tns:getVersionRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for the service version.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getVersionResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with the service version.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether the service version is compatible.</wsdl:documentation>

<wsdl:input message="tns:isCompatibleRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for a compatibility check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:isCompatibleResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response indicating compatibility.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

</wsdl:operation>

</wsdl:portType>

<wsdl:portType name="ServiceRegistryPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the service registry operations.</wsdl:documentation>

<wsdl:operation name="locateService">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the method for locating a service by service type.</wsdl:documentation>

<wsdl:input message="tns:locateServiceRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Input for locating a service.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:locateServiceResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with the service URL.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="registryFault" message="tns:registryFault" />

</wsdl:operation>

<wsdl:operation name="doesServiceExist">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Checks whether a service of this service type exists.</wsdl:documentation>

<wsdl:input message="tns:doesServiceExistRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Request for service check.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:doesServiceExistResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Response with true or false.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="registryFault" message="tns:registryFault" />

</wsdl:operation>

</wsdl:portType>

<wsdl:portType name="ManagementPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines management operations.</wsdl:documentation>

<wsdl:operation name="getParameterValue">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Obtains value of a requested parameter</wsdl:documentation>

<wsdl:input message="tns:getParameterValueRequest">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Name of the requested parameter.</wsdl:documentation>

</wsdl:input>

<wsdl:output message="tns:getParameterValueResponse">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">The requested parameter value.</wsdl:documentation>

</wsdl:output>

<wsdl:fault name="serviceFault" message="tns:serviceFault" />

<wsdl:fault name="credentialMappingFault" message="tns:credentialMappingFault" />

</wsdl:operation>

</wsdl:portType>



<!-- WSDL Bindings Section -->



<wsdl:binding name="AuthenticationBinding" type="tns:AuthenticationPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Authentication</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="authenticate">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the authentication method</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#authenticate"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authenticationFault">

<soap:fault name="authenticationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="assertIdentity">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the assertIdentity method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#assertIdentity"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authenticationFault">

<soap:fault name="authenticationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isAssertionTokenSupported">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isAssertionTokenSupported method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#isAssertionTokenSupported"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authenticationFault">

<soap:fault name="authenticationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="validateIdentity">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the validateIdentity method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#validateIdentity"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getServiceType method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#getServiceType"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getVersion method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#getVersion"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isCompatible method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authentication#isCompatible"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="AuthorizationBinding" type="tns:AuthorizationPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Authorization</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="isAccessAllowed">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the isAccessAllowed method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#isAccessAllowed"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isAccessAllowed_Debug">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the isAccessAllowed_Debug method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#isAccessAllowed_Debug"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isBulkAccessAllowed">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the isBulkAccessAllowed method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#isBulkAccessAllowed"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isChildResourceAccessAllowed">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the isChildResourceAccessAllowed method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#isChildResourceAccessAllowed"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isAuthenticationRequired">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isAuthenticationRequired method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#isAuthenticationRequired"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getServiceType method.s</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#getServiceType"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getVersion method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#getVersion"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isCompatible method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#isCompatible"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="queryActionsOnResource">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the queryActionsOnResource method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#queryActionsOnResource"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="queryActionsOnChildResource">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines binding for the queryActionsOnChildResource method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Authorization#queryActionsOnChildResource"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="authorizationFault">

<soap:fault name="authorizationFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="CredentialMappingBinding" type="tns:CredentialMappingPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Credential mapping</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="getCredentials">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getCredentials method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:CredentialMapping#getCredentials"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="credentialMappingFault">

<soap:fault name="credentialMappingFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getServiceType method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:CredentialMapping#getServiceType"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getVersion method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:CredentialMapping#getVersion"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isCompatible method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:CredentialMapping#isCompatible"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="RoleMappingBinding" type="tns:RoleMappingPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Role mapping</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="getRoles">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getRoles method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:RoleMapping#getRoles"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="roleMappingFault">

<soap:fault name="roleMappingFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getRoles_Debug">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getRoles_Debug method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:RoleMapping#getRoles_Debug"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="roleMappingFault">

<soap:fault name="roleMappingFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getServiceType method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:RoleMapping#getServiceType"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getVersion method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:RoleMapping#getVersion"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isCompatible method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:RoleMapping#isCompatible"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="AuditingBinding" type="tns:AuditingPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Auditing</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="recordEvent">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the recordEvent method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Auditing#recordEvent"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="auditingFault">

<soap:fault name="auditingFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getServiceType">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getServiceType method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Auditing#getServiceType"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="getVersion">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getVersion method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Auditing#getVersion"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="isCompatible">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the isCompatible method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Auditing#isCompatible"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="ServiceRegistryBinding" type="tns:ServiceRegistryPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Service manager</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="locateService">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the locateService method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:ServiceRegistry#locateService"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="registryFault">

<soap:fault name="registryFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

<wsdl:operation name="doesServiceExist">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the doesServiceExist method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:ServiceRegistry#doesServiceExist"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

<wsdl:fault name="registryFault">

<soap:fault name="registryFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>

<wsdl:binding name="ManagementBinding" type="tns:ManagementPort">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">SOAP/HTTP binding for Management</wsdl:documentation>

<soap:binding style="document" transport="http://schemas.xmlsoap.org/soap/http"/>

<wsdl:operation name="getParameterValue">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines the binding for the getParameterValue method.</wsdl:documentation>

<soap:operation soapAction="security:ssmws:Management#getParameterValue"/>

<wsdl:input>

<soap:body use="literal"/>

</wsdl:input>

<wsdl:output>

<soap:body use="literal"/>

</wsdl:output>

<wsdl:fault name="serviceFault">

<soap:fault name="serviceFault" use="literal"/>

</wsdl:fault>

</wsdl:operation>

</wsdl:binding>



<!-- WSDL Services Section -->



<wsdl:service name="Ssmws">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Defines an instance of SSM Web Service</wsdl:documentation>

<wsdl:port binding="tns:AuthenticationBinding" name="Authentication">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the Authentication Web service on the specified HTTP port.</wsdl:documentation>

<soap:address location="http://Authentication"/>

</wsdl:port>

<wsdl:port binding="tns:AuthorizationBinding" name="Authorization">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the Authorization Web service on the specified HTTP port</wsdl:documentation>

<soap:address location="http://Authorization"/>

</wsdl:port>

<wsdl:port binding="tns:CredentialMappingBinding" name="CredentialMapping">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the CredentialMapping web service on the specified HTTP port.</wsdl:documentation>

<soap:address location="http://CredentialMapping"/>

</wsdl:port>

<wsdl:port binding="tns:RoleMappingBinding" name="RoleMapping">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the RoleMapping web service on the specified HTTP port.</wsdl:documentation>

<soap:address location="http://RoleMapping"/>

</wsdl:port>

<wsdl:port binding="tns:AuditingBinding" name="Auditing">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the Auditing web service on the specified HTTP port.</wsdl:documentation>

<soap:address location="http://Auditing"/>

</wsdl:port>

<wsdl:port binding="tns:ServiceRegistryBinding" name="ServiceRegistry">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the ServiceRegistry web service on the specified HTTP port.</wsdl:documentation>

<soap:address location="http://ServiceRegistry"/>

</wsdl:port>

<wsdl:port binding="tns:ManagementBinding" name="Management">

<wsdl:documentation xmlns:wsdl="http://schemas.xmlsoap.org/wsdl/">Exposes the management Web service on the specified HTTP port</wsdl:documentation>

<soap:address location="http://Management"/>

</wsdl:port>

</wsdl:service>



</wsdl:definitions>

ssm-soap-types.xsd



<?xml version="1.0" encoding="UTF-8"?>



<!--

Main SSM schema; it defines all relevant data structures used in the SSM's public SOAP interface

NOTE: All elements in type declarations are local (no 'ref' attributes) for gSOAP compatibility

-->



<xsd:schema

attributeFormDefault="unqualified"

elementFormDefault="qualified"

targetNamespace="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd"

version="0.1"

xmlns="http://www.w3.org/2001/XMLSchema"

xmlns:ssm="http://security.bea.com/ssmws/ssm-soap-types-1.0.xsd"

xmlns:xsd="http://www.w3.org/2001/XMLSchema">



<xsd:simpleType name="ServiceTypeEnum">

<xsd:annotation>

<xsd:documentation>One of the defined SSM services</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:enumeration value="ALES_AUDIT"/>

<xsd:enumeration value="ALES_AUTHENTICATION"/>

<xsd:enumeration value="ALES_AUTHORIZATION"/>

<xsd:enumeration value="ALES_CREDENTIAL"/>

<xsd:enumeration value="ALES_ROLE"/>

<xsd:enumeration value="ALES_MANAGEMENT"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="ServiceCompatibilityEnum">

<xsd:annotation>

<xsd:documentation>Defines service compatibility results</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:enumeration value="ALES_NOT_COMPATIBLE"/>

<xsd:enumeration value="ALES_COMPATIBLE"/>

<xsd:enumeration value="ALES_COMPATIBLE_DEPRECATED"/>

<xsd:enumeration value="ALES_COMPATIBLE_UNKNOWN"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="AtzDirectionEnum">

<xsd:annotation>

<xsd:documentation>Specifies authorization direction</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:enumeration value="ALES_ONCE"/>

<xsd:enumeration value="ALES_POST"/>

<xsd:enumeration value="ALES_PRIOR"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="AuditSeverityEnum">

<xsd:annotation>

<xsd:documentation>Specifies severity of an audit record</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:enumeration value="ALES_AUDIT_FAILURE"/>

<xsd:enumeration value="ALES_ERROR"/>

<xsd:enumeration value="ALES_FAILURE"/>

<xsd:enumeration value="ALES_INFORMATIONAL"/>

<xsd:enumeration value="ALES_SUCCESS"/>

<xsd:enumeration value="ALES_WARNING"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="TokenEncodingEnum">

<xsd:annotation>

<xsd:documentation>Specifies acceptable token encoding</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:enumeration value="ALES_BASE64"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="CredentialMethodEnum">

<xsd:annotation>

<xsd:documentation>Specifies a supported method of gathering credentials</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:enumeration value="ALES_CHOICE"/>

<xsd:enumeration value="ALES_CONFIRMATION"/>

<xsd:enumeration value="ALES_LANGUAGE"/>

<xsd:enumeration value="ALES_NAME"/>

<xsd:enumeration value="ALES_PASSWORD"/>

<xsd:enumeration value="ALES_TEXTINPUT"/>

<xsd:enumeration value="ALES_TEXTOUTPUT"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="CredentialTypeType">

<xsd:annotation>

<xsd:documentation>Describes names for supported credential types. It can be any non-empty string consisting of any number of alphanumeric characters and separators '.',':','_'</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:pattern value="[A-Za-z][A-Za-z0-9_:\.]*"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="SAMLAssertionType">

<xsd:annotation>

<xsd:documentation>Represents an element for SAML Identity Assertion.</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<maxLength value='32768'/>

</xsd:restriction>

</xsd:simpleType>

<xsd:simpleType name="ALESIdentityAssertionType">

<xsd:annotation>

<xsd:documentation>Represents an element for proprietary ALES Identity Assertion.</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<maxLength value='4096'/>

</xsd:restriction>

</xsd:simpleType>

<xsd:complexType name="IdentityAssertionType">

<xsd:annotation>

<xsd:documentation>

An acceptable user's identity assertion token with an extensibility element.

Name of the passed element should match one of the registered credential types.

Encoding rules are determined by the token type.

</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:any namespace="##any" maxOccurs="1" minOccurs="0" processContents="strict" />

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="CredentialType">

<xsd:annotation>

<xsd:documentation>Additionals types of credentials</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="0" name="Info" type="xsd:string"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="Value" type="xsd:string"/>

</xsd:sequence>

<xsd:attribute name="Type" type="ssm:CredentialMethodEnum"/>

<!--

<xsd:anyAttribute namespace="##other" processContents="lax"/>

-->

</xsd:complexType>

<xsd:complexType name="IdentityCredentialType">

<xsd:annotation>

<xsd:documentation>Acceptable user's credentials</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="Credential" type="ssm:CredentialType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="IdentityRoleType">

<xsd:annotation>

<xsd:documentation>Represents a role assigned to an identity</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="Name" type="xsd:QName"/>

<xsd:element maxOccurs="1" minOccurs="0" name="Description" type="xsd:string"/>

</xsd:sequence>

<!--

<xsd:anyAttribute namespace="##other" processContents="lax"/>

-->

</xsd:complexType>

<xsd:complexType name="IdentityRolesType">

<xsd:annotation>

<xsd:documentation>Represents a role collection</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="Roles" type="ssm:IdentityRoleType"/>

<xsd:element maxOccurs="1" minOccurs="0" name="RolesTtlAdvice" type="xsd:int"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="CredentialTypesType">

<xsd:annotation>

<xsd:documentation>Array of credential types</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="CredentialType" type="ssm:CredentialTypeType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="ChallengeType">

<xsd:annotation>

<xsd:documentation>Challenge for authentication handshake</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="1" name="ChallengeCode" type="xsd:NCName"/>

<xsd:element maxOccurs="1" minOccurs="0" name="ChallengeState" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="0" name="Blob" type="xsd:base64Binary"/>

</xsd:all>

<!--

<xsd:attribute name="Algorithm" type="xsd:QName" use="optional"/>

<xsd:anyAttribute namespace="##other" processContents="lax"/>

-->

</xsd:complexType>

<xsd:complexType name="ContextRequestsType">

<xsd:annotation>

<xsd:documentation>Array of context challenges</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="ContextAttribute" type="xsd:QName"/>

</xsd:sequence>

<!--

<xsd:anyAttribute namespace="##other" processContents="lax"/>

-->

</xsd:complexType>

<xsd:simpleType name="IpType">

<xsd:annotation>

<xsd:documentation>This type represents an IP address XXX.XXX.XXX.XXX</xsd:documentation>

</xsd:annotation>

<xsd:restriction base="xsd:string">

<xsd:pattern value="(\d{1,3}\.){3}\d{1,3}"/>

</xsd:restriction>

</xsd:simpleType>

<xsd:complexType name="ContextRecordType">

<xsd:annotation>

<xsd:documentation>Name/value pair to pass context data</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="RecordName" type="xsd:QName"/>

<xsd:choice>

<xsd:element maxOccurs="1" minOccurs="1" name="StringValue" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="BoolValue" type="xsd:boolean"/>

<xsd:element maxOccurs="1" minOccurs="1" name="DateTimeValue" type="xsd:dateTime"/>

<xsd:element maxOccurs="1" minOccurs="1" name="TimeValue" type="xsd:time"/>

<xsd:element maxOccurs="1" minOccurs="1" name="IntValue" type="xsd:int"/>

<xsd:element maxOccurs="1" minOccurs="1" name="IpValue" type="ssm:IpType"/>

</xsd:choice>

</xsd:sequence>

<!--

<xsd:anyAttribute namespace="##other" processContents="lax"/>

-->

</xsd:complexType>

<xsd:complexType name="ContextType">

<xsd:annotation>

<xsd:documentation>Structure for passing context data</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="Record" type="ssm:ContextRecordType"/>

</xsd:sequence>

<!--

<xsd:attribute name="Type" type="xsd:QName" use="optional"/>

<xsd:anyAttribute namespace="##other" processContents="lax"/>

-->

</xsd:complexType>

<xsd:complexType name="ServiceVersionType">

<xsd:annotation>

<xsd:documentation>Used to pass service version information</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="1" name="MajorVersion" type="xsd:int"/>

<xsd:element maxOccurs="1" minOccurs="1" name="MinorVersion" type="xsd:int"/>

<xsd:element maxOccurs="1" minOccurs="1" name="PatchLevel" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Version" type="xsd:long"/>

</xsd:all>

</xsd:complexType>

<xsd:complexType name="EmptyAttributedType">

<xsd:annotation>

<xsd:documentation>Specifies an empty type with any attribute</xsd:documentation>

</xsd:annotation>

<!--

<xsd:anyAttribute namespace="##any" processContents="lax"/>

-->

</xsd:complexType>

<xsd:complexType name="RuntimeActionType">

<xsd:annotation>

<xsd:documentation>Represents a runtime action</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="1" name="ActionString" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="AuthorityName" type="xsd:string"/>

</xsd:all>

</xsd:complexType>

<xsd:complexType name="RuntimeResourceType">

<xsd:annotation>

<xsd:documentation>Represents a runtime resource</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="1" name="ResourceString" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="AuthorityName" type="xsd:string"/>

</xsd:all>

</xsd:complexType>

<xsd:complexType name="AuditRecordType">

<xsd:annotation>

<xsd:documentation>Represents an audit record</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="1" name="AuthorityName" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Severity" type="ssm:AuditSeverityEnum"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Message" type="xsd:string"/>

</xsd:all>

</xsd:complexType>

<xsd:complexType name="FaultInfoType">

<xsd:annotation>

<xsd:documentation>Represents a server-side error</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="0" name="Description" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="0" name="TextInfo" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="0" name="BinInfo" type="xsd:base64Binary"/>

</xsd:all>

</xsd:complexType>

<xsd:complexType name="AtzDecisionDataType">

<xsd:annotation>

<xsd:documentation>Represents data accompanying authorization decisions</xsd:documentation>

</xsd:annotation>

<xsd:all>

<xsd:element maxOccurs="1" minOccurs="0" name="AtzTtlAdvice" type="xsd:int"/>

<xsd:element maxOccurs="1" minOccurs="0" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="0" name="IdentityRoles" type="ssm:IdentityRolesType"/>

<xsd:element maxOccurs="1" minOccurs="0" name="Responses" type="ssm:ContextType"/>

</xsd:all>

</xsd:complexType>



<!-- Types for "wrapped" document style

NOTE: nillable="true" is used instead of minOccurs="0" to indicate optional elements. This is done to accomodate buggy

implementation of optional parameters in Axis 1.1

-->

<xsd:complexType name="IsCompatibleType">

<xsd:annotation>

<xsd:documentation>Service compatibility check request's wrapper</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="ServiceVersion" type="ssm:ServiceVersionType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AuthenticateType">

<xsd:annotation>

<xsd:documentation>Authentication request's wrapper</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityCredential" type="ssm:IdentityCredentialType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RequestedCredentialType" type="ssm:CredentialTypeType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AssertIdentityType">

<xsd:annotation>

<xsd:documentation>Identity assertion request's wrapper</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedCredentialType" type="ssm:CredentialTypeType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="IsAssertionTokenSupportedType">

<xsd:annotation>

<xsd:documentation>Token type check request's wrapper</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="AssertionCredentialType" type="ssm:CredentialTypeType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="ValidateIdentityType">

<xsd:annotation>

<xsd:documentation>Token validation request's wrapper</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="IsAccessAllowedType">

<xsd:annotation>

<xsd:documentation>Authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedCredentialType" type="ssm:CredentialTypeType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AtzDirection" type="ssm:AtzDirectionEnum"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="IsChildResourceAccessAllowedType">

<xsd:annotation>

<xsd:documentation>Authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="ResourceAction" type="ssm:ResourceActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedCredentialType" type="ssm:CredentialTypeType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="ResourceActionType">

<xsd:annotation>

<xsd:documentation>Resource Action Pair</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="IsBulkAccessAllowedType">

<xsd:annotation>

<xsd:documentation>Bulk Authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="ResourceAction" type="ssm:ResourceActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedCredentialType" type="ssm:CredentialTypeType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="IsAuthenticationRequiredType">

<xsd:annotation>

<xsd:documentation>Request to check whether resource is protected</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="GetCredentialsType">

<xsd:annotation>

<xsd:documentation>Credential mapping request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RequestedCredentialTypes" type="ssm:CredentialTypesType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="GetRolesType">

<xsd:annotation>

<xsd:documentation>Request for user roles</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="RecordEventType">

<xsd:annotation>

<xsd:documentation>Auditing request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="AuditRecord" type="ssm:AuditRecordType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="SsmIdType">

<xsd:annotation>

<xsd:documentation>Service locating request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="ServiceType" type="ssm:ServiceTypeEnum"/>

<xsd:element maxOccurs="1" minOccurs="1" name="SsmId" type="xsd:string"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AuthenticationResultType">

<xsd:annotation>

<xsd:documentation>Response to an authentication request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:choice>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Challenge" type="ssm:ChallengeType" />

</xsd:choice>

<xsd:element maxOccurs="unbounded" minOccurs="1" nillable="true" name="StatusInfo" type="xsd:string"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AuthorizationResultType">

<xsd:annotation>

<xsd:documentation>Response to an authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="AccessAllowed" type="xsd:boolean"/>

<xsd:choice>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AtzDecisionData" type="ssm:AtzDecisionDataType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="ContextRequests" type="ssm:ContextRequestsType"/>

</xsd:choice>

</xsd:sequence>

</xsd:complexType>



<!-- for bulk authorization API -->

<xsd:complexType name="ExtendedAuthorizationResultType">

<xsd:annotation>

<xsd:documentation>Response to a bulk authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AtzResult" type="ssm:AuthorizationResultType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="BulkChildAuthorizationResultType">

<xsd:annotation>

<xsd:documentation>Response to a bulk authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" nillable="true" name="AtzResult" type="ssm:ExtendedAuthorizationResultType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="BulkAuthorizationResultType">

<xsd:annotation>

<xsd:documentation>Response to a bulk authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" nillable="true" name="AtzResult" type="ssm:ExtendedAuthorizationResultType"/>

</xsd:sequence>

</xsd:complexType>





<xsd:complexType name="GetCredentialsResultType">

<xsd:annotation>

<xsd:documentation>Response to a credential mapping request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" nillable="true" name="MissingTypes" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="IdentityCredential" type="ssm:IdentityCredentialType"/>

<xsd:element maxOccurs="unbounded" minOccurs="1" nillable="true" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="DoesServiceExistResponseType">

<xsd:annotation>

<xsd:documentation>Response to an authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="doesServiceExistResponse" type="xsd:boolean"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="getParameterValueType">

<xsd:annotation>

<xsd:documentation>Request parameter of getParameterValue request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="getParameterValue" type="xsd:string"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="getParameterValueResponseType">

<xsd:annotation>

<xsd:documentation>Response to an getParameterValue request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="getParameterValueResponse" type="xsd:string"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="RecordEventResponseType">

<xsd:annotation>

<xsd:documentation>Response to a record event request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="recordEventResponse" type="xsd:boolean"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AuthenticationRequiredResponseType">

<xsd:annotation>

<xsd:documentation>Response to an authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="isAuthenticationRequiredResponse" type="xsd:boolean"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AssertionTokenSupportedResponseType">

<xsd:annotation>

<xsd:documentation>Response to an authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="isAssertionTokenSupportedResponse" type="xsd:boolean"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="ValidateIdentityResponseType">

<xsd:annotation>

<xsd:documentation>Response to an authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="validateIdentityResponse" type="xsd:boolean"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="ComplexAnyURI">

<xsd:annotation>

<xsd:documentation>A complex URI</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="locateServiceResponse" type="xsd:anyURI"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="GetServiceTypeReturnType">

<xsd:annotation>

<xsd:documentation>Return type from the getServiceType method</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="ServiceType" type="ssm:ServiceTypeEnum"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="IsCompatibleReturnType">

<xsd:annotation>

<xsd:documentation>Return type from the isCompatible method</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="Value" type="ssm:ServiceCompatibilityEnum"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="RequestedActionsType">

<xsd:annotation>

<xsd:documentation>Wrapper the requested actions</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="Actions" type="ssm:RuntimeActionType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="QueryActionsOnResourceType">

<xsd:annotation>

<xsd:documentation>Query actions on resource request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedActions" type="ssm:RequestedActionsType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="QueryActionsOnResourceResultType">

<xsd:annotation>

<xsd:documentation>Response to an Query actions on resource request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeEntitlement" type="ssm:RuntimeEntitlementType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="ResponseContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="RuntimeEntitlementType">

<xsd:annotation>

<xsd:documentation>Represents a set of granted and denied actions on a resource</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="GrantedActions" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="DeniedActions" type="ssm:RuntimeActionType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="QueryActionsOnChildResourceType">

<xsd:annotation>

<xsd:documentation>Query actions on child resource request </xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedActions" type="ssm:RequestedActionsType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="QueryActionsOnChildResourceResultType">

<xsd:annotation>

<xsd:documentation>Response to an Query actions on child resource request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="EntitlementList" type="ssm:RuntimeEntitlementType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="ResponseContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>



<xsd:complexType name="ConstraintAttributeType">

<xsd:annotation>

<xsd:documentation>Represents attribute and its value used in a policy constraint</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="Name" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Type" type="xsd:int"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Value" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="DataType" type="xsd:string"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AuthorizationPolicyType">

<xsd:annotation>

<xsd:documentation>Represents evaluated Authorization policy</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="PolicyEvaluationResult" type="xsd:boolean"/>

<xsd:element maxOccurs="1" minOccurs="1" name="PolicyType" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Privilege" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Resource" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Subject" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Constraints" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Delegator" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Notes" type="xsd:string"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="AttributeList" type="ssm:ConstraintAttributeType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="RolePolicyType">

<xsd:annotation>

<xsd:documentation>Represents evaluated Role policy</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="PolicyEvaluationResult" type="xsd:boolean"/>

<xsd:element maxOccurs="1" minOccurs="1" name="PolicyType" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Role" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Resource" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" name="Subject" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Constraints" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Delegator" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="Notes" type="xsd:string"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="AttributeList" type="ssm:ConstraintAttributeType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="UserInfoType">

<xsd:annotation>

<xsd:documentation>Information about "user" making request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="QualifiedGroupNameList" type="xsd:string"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="QualifiedUserName" type="xsd:string"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="DebugInfoType">

<xsd:annotation>

<xsd:documentation>Store the evaluation results for Authorization and user roles request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="AuthorizationPolicyList" type="ssm:AuthorizationPolicyType"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="GrantedRoleList" type="xsd:string"/>

<xsd:element maxOccurs="unbounded" minOccurs="0" name="RolePolicyList" type="ssm:RolePolicyType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="UserInfo" type="ssm:UserInfoType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="ResourceLocated" type="xsd:boolean"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="IsAccessAllowedDebugType">

<xsd:annotation>

<xsd:documentation>Debug Authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="RequestedCredentialType" type="ssm:CredentialTypeType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="AuthorizationDebugResultType">

<xsd:annotation>

<xsd:documentation>Response to a debug authorization request</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="AccessAllowed" type="xsd:boolean"/>

<xsd:choice>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AtzDecisionData" type="ssm:AtzDecisionDataType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="ContextRequests" type="ssm:ContextRequestsType"/>

</xsd:choice>

<xsd:element maxOccurs="1" minOccurs="1" name="DebugInfo" type="ssm:DebugInfoType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="GetRolesDebugType">

<xsd:annotation>

<xsd:documentation>Debug request for user roles</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="1" minOccurs="1" name="IdentityAssertion" type="ssm:IdentityAssertionType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeResource" type="ssm:RuntimeResourceType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="RuntimeAction" type="ssm:RuntimeActionType"/>

<xsd:element maxOccurs="1" minOccurs="1" nillable="true" name="AppContext" type="ssm:ContextType"/>

</xsd:sequence>

</xsd:complexType>

<xsd:complexType name="GetRolesDebugResponseType">

<xsd:annotation>

<xsd:documentation>Represents a role collection</xsd:documentation>

</xsd:annotation>

<xsd:sequence>

<xsd:element maxOccurs="unbounded" minOccurs="1" name="Roles" type="ssm:IdentityRoleType"/>

<xsd:element maxOccurs="1" minOccurs="1" name="DebugInfo" type="ssm:DebugInfoType"/>

<xsd:element maxOccurs="1" minOccurs="0" name="RolesTtlAdvice" type="xsd:int"/>

</xsd:sequence>

</xsd:complexType>



<!-- Elements for "wrapped" document style -->

<xsd:element name="getServiceType" type="ssm:EmptyAttributedType"/>

<xsd:element name="getVersion" type="ssm:EmptyAttributedType"/>

<xsd:element name="isCompatible" type="ssm:IsCompatibleType"/>

<xsd:element name="authenticate" type="ssm:AuthenticateType"/>

<xsd:element name="assertIdentity" type="ssm:AssertIdentityType"/>

<xsd:element name="isAssertionTokenSupported" type="ssm:IsAssertionTokenSupportedType"/>

<xsd:element name="validateIdentity" type="ssm:ValidateIdentityType"/>

<xsd:element name="isAccessAllowed" type="ssm:IsAccessAllowedType"/>

<xsd:element name="isAuthenticationRequired" type="ssm:IsAuthenticationRequiredType"/>

<xsd:element name="getCredentials" type="ssm:GetCredentialsType"/>

<xsd:element name="getRoles" type="ssm:GetRolesType"/>

<xsd:element name="recordEvent" type="ssm:RecordEventType"/>

<xsd:element name="locateService" type="ssm:SsmIdType"/>

<xsd:element name="doesServiceExist" type="ssm:SsmIdType"/>

<xsd:element name="getServiceTypeResponse" type="ssm:GetServiceTypeReturnType"/>

<xsd:element name="getVersionResponse" type="ssm:ServiceVersionType"/>

<xsd:element name="isCompatibleResponse" type="ssm:IsCompatibleReturnType"/>

<xsd:element name="authenticateResponse" type="ssm:AuthenticationResultType"/>

<xsd:element name="assertIdentityResponse" type="ssm:AuthenticationResultType"/>

<xsd:element name="isAssertionTokenSupportedResponse" type="ssm:AssertionTokenSupportedResponseType"/>

<xsd:element name="validateIdentityResponse" type="ssm:ValidateIdentityResponseType"/>

<xsd:element name="isAccessAllowedResponse" type="ssm:AuthorizationResultType"/>

<xsd:element name="isAuthenticationRequiredResponse" type="ssm:AuthenticationRequiredResponseType"/>

<xsd:element name="getCredentialsResponse" type="ssm:GetCredentialsResultType"/>

<xsd:element name="getRolesResponse" type="ssm:IdentityRolesType"/>

<xsd:element name="locateServiceResponse" type="ssm:ComplexAnyURI"/>

<xsd:element name="doesServiceExistResponse" type="ssm:DoesServiceExistResponseType"/>

<xsd:element name="recordEventResponse" type="ssm:RecordEventResponseType"/>

<xsd:element name="getParameterValue" type="ssm:getParameterValueType"/>

<xsd:element name="getParameterValueResponse" type="ssm:getParameterValueResponseType"/>

<xsd:element name="queryActionsOnResource" type="ssm:QueryActionsOnResourceType"/>

<xsd:element name="queryActionsOnChildResource" type="ssm:QueryActionsOnChildResourceType"/>

<xsd:element name="queryActionsOnResourceResponse" type="ssm:QueryActionsOnResourceResultType"/>

<xsd:element name="queryActionsOnChildResourceResponse" type="ssm:QueryActionsOnChildResourceResultType"/>



<xsd:element name="serviceFailure" type="ssm:FaultInfoType"/>

<xsd:element name="authenticationFailure" type="ssm:FaultInfoType"/>

<xsd:element name="authorizationFailure" type="ssm:FaultInfoType"/>

<xsd:element name="credentialMappingFailure" type="ssm:FaultInfoType"/>

<xsd:element name="roleMappingFailure" type="ssm:FaultInfoType"/>

<xsd:element name="auditingFailure" type="ssm:FaultInfoType"/>

<xsd:element name="registryFailure" type="ssm:FaultInfoType"/>

<xsd:element name="xacmlFailure" type="ssm:FaultInfoType"/>



<!-- for bulk authorization API -->

<xsd:element name="isBulkAccessAllowed" type="ssm:IsBulkAccessAllowedType"/>

<xsd:element name="isBulkAccessAllowedResponse" type="ssm:BulkAuthorizationResultType"/>

<xsd:element name="isChildResourceAccessAllowed" type="ssm:IsChildResourceAccessAllowedType"/>

<xsd:element name="isChildResourceAccessAllowedResponse" type="ssm:BulkChildAuthorizationResultType"/>



<!-- for debug authorization and get roles API -->

<xsd:element name="isAccessAllowedDebug" type="ssm:IsAccessAllowedDebugType"/>

<xsd:element name="isAccessAllowedDebugResponse" type="ssm:AuthorizationDebugResultType"/>

<xsd:element name="getRolesDebug" type="ssm:GetRolesDebugType"/>

<xsd:element name="getRolesDebugResponse" type="ssm:GetRolesDebugResponseType"/>



</xsd:schema>