The IdentityMappingRuleType structure defines a single rule for selecting a UserIdentityToken. The structure is described in Table 9.
Table 9 – IdentityMappingRuleType
|
Name |
Type |
Description |
|
IdentityMappingRuleType |
Structure |
Specifies a rule used to map a UserIdentityToken to a Role. |
|
criteriaType |
Enumeration IdentityCriteriaType |
The type of criteria contained in the identity mapping rule. The IdentityCriteriaType is defined in 4.4.4. |
|
criteria |
String |
The criteria which the UserIdentityToken must meet for a Session to be mapped to the Role. The meaning of the criteria depends on the criteriaType. The criteria shall be null or an empty string for Anonymous, AuthenticatedUser and TrustedApplication. |
If the criteriaType is UserName, the criteria is a name of a user known to the Server. For example, the user could be the name of a local operating system account or a user managed by the server as defined in 5.2.
If the criteriaType is Thumbprint, the criteria is a thumbprint of a user Certificate. For this criteria, the thumbprint shall be encoded as a hexadecimal string with upper case characters and without spaces.
If the criteriaType is Role, the criteria is a name of a restriction found in the Access Token. For example, the Role "subscriber" may only be allowed to access PubSub related Nodes. If the issuedTokenType of the Access Token is “http://opcfoundation.org/UA/UserToken#JWT”, the criteria contains one of the entries in the roles array of the JWT IssuedIdentityToken. If “iss” is present in the JWT IssuedIdentityToken, the criteria is prepended by the value of “iss” followed by a ‘/’ (slash).
If the criteriaType is GroupId, the criteria is a generic text identifier for a user group specific to the Authorization Service. For example, an Authorization Service providing access to an Active Directory may add one or more Windows Security Groups to the Access Token. OPC 10000-6 provides details on how groups are added to Access Tokens. If the issuedTokenType of the Access Token is “http://opcfoundation.org/UA/UserToken#JWT”, the criteria contain one of the entries in the groups array of the JWT IssuedIdentityToken. If “iss” is present in the JWT IssuedIdentityToken, the criteria is prepended by the value of “iss” followed by a ‘/’ (slash).
If the criteriaType is Anonymous, the criteria shall be null or an empty string. The criteriaType applies if no user credentials have been provided.
If the criteriaType is AuthenticatedUser, the criteria shall be null or an empty string. The criteriaType applies if any valid user credentials have been provided.
If the criteriaType is TrustedApplication, the criteria shall be null or an empty string. The criteriaType applies for any Client application with a trusted ApplicationInstance Certificate. The Client Certificate shall be trusted by the Server and the Session shall use at least a signed communication channel.
If the criteriaType is Application, the criteria is the ApplicationUri from the Client Certificate used for the Session. The Client Certificate shall be trusted by the Server and the Session shall use at least a signed communication channel. This criteria type is used if a Role should be granted to a Session for Application Authentication with Anonymous UserIdentityToken. If a Role should be granted to a Session for Application Authentication combined with User Authentication, the Applications Property on the RoleType is combined with the Identities Property on the RoleType as defined in 4.4.1.
If the criteriaType is X509Subject, the criteria is the X509 subject name of a Certificate of a user which is trusted by the Server or the X509 subject name of an issuer of the user Certificate. The format of the subject name criteria consists of a sequence of name value pairs separated by a '/'. The name shall be one of entries in Table 10 and shall be followed by a '=' and then followed by the value, which is always enclosed in double quotes ('"'). The order shall be by the order shown in Table 10 with the lowest number first. Every value from Table 10 present in the Certificate shall be included in the criteria, others must not be included. The value may be any printable character except for '"'. For example: CN="User Name"/O="Company". Table 10 contains all subject name attributes where support is required by X509 and some commonly used attributes where support is optional. Additional fields may be added in the future. If one name is used multiple times in the certificate, the name is also repeated in the criteria. The entries with the same name are entered in the order they appear in the Certificate. All names listed in Table 10 that are included in the X509 subject name shall match the content of the criteria String. Names not included in Table 10 are ignored.
Table 10 – Order for subject name criteria
|
Order |
Name |
Value |
|
1 |
CN |
Common Name |
|
2 |
O |
Organization |
|
3 |
OU |
Organization Unit |
|
4 |
DC |
Domain Component |
|
5 |
L |
Locality |
|
6 |
S |
State |
|
7 |
C |
Country |
|
8 |
dnQualifier |
Distinguished name qualifier |
|
9 |
serialNumber |
Serial number |
The IdentityMappingRuleType Structure representation in the AddressSpace is defined in Table 11.
Table 11 – IdentityMappingRuleType definition
|
Attributes |
Value |
|||
|
BrowseName |
IdentityMappingRuleType |
|||
|
IsAbstract |
False |
|||
|
References |
NodeClass |
BrowseName |
IsAbstract |
Description |
|
Subtype of Structure defined in OPC 10000-5. |
||||
|
Conformance Units |
||||
|
Base Info ServerType |
||||