3.3.1.1 Resource IP/STS Abstract Data Model Extensions

The following is a potential representation for a resource IP/STS to organize the data that represents its federation partners. The federation partner record is used, as specified in section 3.1.1.3, with the following extensions and dependencies for the possible range of values for fields:

Identifier: For a requestor IP/STS from another security realm, it MUST be the wtrealm value, as specified in section 3.1.1.3. For a WS resource, it MUST be an identifier that is unique within the security realm such as a web server or web application URL or URI.

Role: There are three possible values for this field: requestor IP/STS, relying party, and WS resource. For a partner from another security realm, this field MAY contain requestor IP/STS or relying party or both values, as specified in section 3.1.1.3. For a partner within the security realm, this field SHOULD only contain WS resource.<69>

URL: If the Role field contains requestor IP/STS or relying party, this field MUST contain a URL. If the Role field contains WS resource, a URL MAY be present but is not required because this information can be reliably passed in using the wreply parameter.<70>

Certificate (optional): If the Role field contains requestor IP/STS, the Certificate field MUST contain a certificate, as specified in section 3.1.1.3. Otherwise, this field does not apply.