[MS-WSTIM]:
WS-Transfer: Identity Management Operations for Directory Access Extensions
Intellectual Property Rights Notice for Open Specifications Documentation
§ Technical Documentation. Microsoft publishes Open Specifications documentation for protocols, file formats, languages, standards as well as overviews of the interaction among each of these technologies.
§ Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you may make copies of it in order to develop implementations of the technologies described in the Open Specifications and may distribute portions of it in your implementations using these technologies or your documentation as necessary to properly document the implementation. You may also distribute in your implementation, with or without modification, any schema, IDL's, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications.
§ No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.
§ Patents. Microsoft has patents that may cover your implementations of the technologies described in the Open Specifications. Neither this notice nor Microsoft's delivery of the documentation grants any licenses under those or any other Microsoft patents. However, a given Open Specification may be covered by Microsoft Open Specification Promise or the Community Promise. If you would prefer a written license, or if the technologies described in the Open Specifications are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting .
§ Trademarks. The names of companies and products contained in this documentation may be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.
§ Fictitious Names. The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.
Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than specifically described above, whether by implication, estoppel, or otherwise.
Tools. The Open Specifications do not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments you are free to take advantage of them. Certain Open Specifications are intended for use in conjunction with publicly available standard specifications and network programming art, and assumes that the reader either is familiar with the aforementioned material or has immediate access to it.
Preliminary Documentation. This Open Specification provides documentation for past and current releases and/or for the pre-release version of this technology. This Open Specification is final documentation for past or current releases as specifically noted in the document, as applicable; it is preliminary documentation for the pre-release versions. Microsoft will release final documentation in connection with the commercial release of the updated or new version of this technology. As the documentation may change between this preliminary version and the final version of this technology, there are risks in relying on preliminary documentation. To the extent that you incur additional development obligations or any other costs as a result of relying on this preliminary documentation, you do so at your own risk.
Revision Summary
Date / Revision History / Revision Class / Comments /12/5/2008 / 0.1 / Major / Initial Availability
1/16/2009 / 0.1.1 / Editorial / Changed language and formatting in the technical content.
2/27/2009 / 0.1.2 / Editorial / Changed language and formatting in the technical content.
4/10/2009 / 0.1.3 / Editorial / Changed language and formatting in the technical content.
5/22/2009 / 0.1.4 / Editorial / Changed language and formatting in the technical content.
7/2/2009 / 0.2 / Minor / Clarified the meaning of the technical content.
8/14/2009 / 1.0 / Major / Updated and revised the technical content.
9/25/2009 / 2.0 / Major / Updated and revised the technical content.
11/6/2009 / 2.1 / Minor / Clarified the meaning of the technical content.
12/18/2009 / 3.0 / Major / Updated and revised the technical content.
1/29/2010 / 3.1 / Minor / Clarified the meaning of the technical content.
3/12/2010 / 4.0 / Major / Updated and revised the technical content.
4/23/2010 / 4.0.1 / Editorial / Changed language and formatting in the technical content.
6/4/2010 / 4.1 / Minor / Clarified the meaning of the technical content.
7/16/2010 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
8/27/2010 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
10/8/2010 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
11/19/2010 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
1/7/2011 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
2/11/2011 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
3/25/2011 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
5/6/2011 / 4.1 / None / No changes to the meaning, language, or formatting of the technical content.
6/17/2011 / 4.2 / Minor / Clarified the meaning of the technical content.
9/23/2011 / 4.2 / None / No changes to the meaning, language, or formatting of the technical content.
12/16/2011 / 5.0 / Major / Updated and revised the technical content.
3/30/2012 / 5.0 / None / No changes to the meaning, language, or formatting of the technical content.
7/12/2012 / 5.0 / None / No changes to the meaning, language, or formatting of the technical content.
10/25/2012 / 6.0 / Major / Updated and revised the technical content.
1/31/2013 / 6.0 / None / No changes to the meaning, language, or formatting of the technical content.
8/8/2013 / 7.0 / Major / Updated and revised the technical content.
11/14/2013 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
5/15/2014 / 7.0 / None / No changes to the meaning, language, or formatting of the technical content.
6/30/2015 / 8.0 / Major / Significantly changed the technical content.
Table of Contents
1 Introduction 7
1.1 Glossary 7
1.2 References 9
1.2.1 Normative References 9
1.2.2 Informative References 11
1.3 Overview 11
1.3.1 Identity Objects 11
1.3.2 Dialect 12
1.4 Relationship to Other Protocols 12
1.5 Prerequisites/Preconditions 12
1.6 Applicability Statement 12
1.7 Versioning and Capability Negotiation 13
1.8 Vendor-Extensible Fields 13
1.9 Standards Assignments 13
2 Messages 14
2.1 Transport 14
2.2 Common Message Syntax 14
2.2.1 Namespaces 14
2.2.2 Messages 14
2.2.3 Elements 15
2.2.3.1 AttributeType 15
2.2.3.2 AttributeTypeAndValue 15
2.2.3.3 AttributeTypeNotValidForDialect 15
2.2.3.4 AttributeTypeNotValidForEntry 16
2.2.3.5 AttributeTypeOrValueAlreadyExists 16
2.2.3.6 IdentityManagementOperation 17
2.2.4 Complex Types 17
2.2.4.1 AttributeTypeAndValueXmlType 17
2.2.4.2 ExtensibleType 17
2.2.4.3 ValueXmlType 18
2.2.5 Simple Types 18
2.2.6 Attributes 18
2.2.6.1 SizeLimit 18
2.2.6.2 Dialect 18
2.2.7 Groups 19
2.2.8 Attribute Groups 19
2.3 Directory Service Schema Elements 19
3 Protocol Details 20
3.1 Common Server Processing 20
3.1.1 Abstract Data Model 20
3.1.2 Timers 21
3.1.3 Initialization 21
3.1.4 Message Processing Events and Sequencing Rules 21
3.1.4.1 SOAP Header Processing 21
3.1.4.2 SOAP Faults 21
3.1.4.2.1 wsman:AccessDenied 22
3.1.4.2.2 wsman:AlreadyExists 23
3.1.4.2.3 wsman:CannotProcessFilter 23
3.1.4.2.4 wsa2004:DestinationUnreachable 24
3.1.4.2.5 wsman:EncodingLimit 24
3.1.4.2.6 wsa2004:EndpointUnavailable 25
3.1.4.2.7 wsman:FragmentDialectNotSupported 25
3.1.4.2.8 wxf:InvalidRepresentation 26
3.1.4.2.9 wsman:SchemaValidationError 27
3.1.4.2.10 UnwillingToPerform 27
3.1.5 Timer Events 27
3.1.6 Other Local Events 28
3.2 Resource Server Details 28
3.2.1 Abstract Data Model 28
3.2.2 Timers 28
3.2.3 Initialization 28
3.2.4 Message Processing Events and Sequencing Rules 28
3.2.4.1 Get 29
3.2.4.1.1 Messages 30
3.2.4.1.1.1 BaseObjectSearchRequestMessage 30
3.2.4.1.1.2 BaseObjectSearchResponseMessage 30
3.2.4.1.2 Elements 30
3.2.4.1.2.1 BaseObjectSearchRequest 30
3.2.4.1.2.2 BaseObjectSearchResponse 31
3.2.4.1.3 Complex Types 31
3.2.4.1.3.1 PartialAttributeXmlType 31
3.2.4.2 Put 32
3.2.4.2.1 Messages 32
3.2.4.2.1.1 ModifyRequestMessage 32
3.2.4.2.1.2 ModifyResponseMessage 32
3.2.4.2.2 Elements 33
3.2.4.2.2.1 ModifyRequest 33
3.2.4.2.2.2 Change 33
3.2.4.2.3 Simple Types 34
3.2.4.2.3.1 OperationXmlType 34
3.2.4.3 Delete 34
3.2.5 Timer Events 35
3.2.6 Other Local Events 35
3.3 ResourceFactory Server Details 35
3.3.1 Abstract Data Model 35
3.3.2 Timers 35
3.3.3 Initialization 35
3.3.4 Message Processing Events and Sequencing Rules 35
3.3.4.1 Create 36
3.3.4.1.1 Messages 36
3.3.4.1.1.1 AddRequestMessage 36
3.3.4.1.1.2 AddResponseMessage 36
3.3.4.1.2 Elements 37
3.3.4.1.2.1 AddRequest 37
3.3.5 Timer Events 37
3.3.6 Other Local Events 37
4 Protocol Examples 38
4.1 Example of Creating an Identity Object 38
4.2 Example of Retrieving Attribute Types from an Identity Object 39
4.3 Example of Retrieving the Complete XML Representation of an Identity Object 41
4.4 Example of Modifying an Identity Object 44
5 Security 46
5.1 Security Considerations for Implementers 46
5.2 Index of Security Parameters 46
6 Appendix A: Full WSDL 47
7 Appendix B: Product Behavior 52
8 Change Tracking 57
9 Index 59
1 Introduction
The WS-Transfer: Identity Management Operations for Directory Access Extensions (henceforth referred to as "IMDA") are a set of extensions to the WS-Transfer protocol [WXFR] for representing the protocol operations commonly used for directory access in identity management protocols.
The goal of this specification is to enable identity management client applications, which are currently using non-Web service protocols such as Lightweight Directory Access Protocol (LDAP) v3 [RFC2251] for managing information held in directory services, to instead use Web service protocols.
This protocol extension is designed to layer atop the WS-Transfer protocol and to be composable with the WS-Management protocol [DMTF-DSP0226].
Sections 1.8, 2, and 3 of this specification are normative and can contain the terms MAY, SHOULD, MUST, MUST NOT, and SHOULD NOT as defined in [RFC2119]. Sections 1.5 and 1.9 are also normative but do not contain those terms. All other sections and examples in this specification are informative.
1.1 Glossary
The following terms are specific to this document:
Active Directory Domain Services (AD DS): A directory service (DS) implemented by a domain controller (DC). The DS provides a data store for objects that is distributed across multiple DCs. The DCs interoperate as peers to ensure that a local change to an object replicates correctly across DCs. For more information, see [MS-AUTHSOD] section 1.1.1.5.2 and [MS-ADTS]. For information about product versions, see [MS-ADTS] section 1. See also Active Directory.
Active Directory Lightweight Directory Services (AD LDS): A directory service (DS) implemented by a domain controller (DC). The most significant difference between AD LDS and Active Directory Domain Services (AD DS) is that AD LDS does not host domain naming contexts (domain NCs). A server can host multiple AD LDS DCs. Each DC is an independent AD LDS instance, with its own independent state. AD LDS can be run as an operating system DS or as a directory service provided by a standalone application (Active Directory Application Mode (ADAM)). For more information, see [MS-ADTS]. See also Active Directory.
constructed attribute: An attribute whose values are computed from normal attributes (for read) and/or have effects on the values of normal attributes (for write).
dialect: A specification of a format and rules for the expressions comprising an identity attribute type. An identity attribute type can only be understood if it is known what dialect it is written in and how that dialect maps expressions to identity attributes. A dialect is uniquely identified by a URI.
directory attribute: An identifier for a single-valued or multi-valued data element that is associated with a directory object.
directory object: A Lightweight Directory Access Protocol (LDAP) object, as specified in [RFC2251], that is a specialization of an object.
directory service (DS): A service that stores and organizes information about a computer network's users and network shares, and that allows network administrators to manage users' access to the shares. See also Active Directory.
endpoint: A client that is on a network and is requesting access to a network access server (NAS).
file/directory attributes: The attributes of a file or a directory, as specified in [MS-FSCC].
identity attribute: A property of an identity object consisting of one or more identity attribute values. All the values of an identity attribute are related by a common purpose or meaning. For example, the collection of telephone numbers belonging to a user may form an identity attribute on the identity object that represents that user's account. An identity object is an abstraction over physical realizations such as directory attributes. An identity attribute is named by a identity attribute type.
identity attribute type: An expression, written in a dialect, that identifies an identity attribute. The relationship between identity attribute types and identity attributes is many-to-one. An identity attribute type uniquely names an identity attribute, but one identity attribute can be named by multiple identity attribute types, each written in a different dialect. This is analogous to how a directory attribute can be referred to by either an LDAP display name or by an object identifier (OID).
identity attribute value: The value of an identity attribute. For example, in an identity attribute representing a user's telephone numbers, each telephone number is an identity attribute value. Identity attribute values have implementation-defined XML representations.
identity object: An entity that is a collection of one or more identity attributes. For example, an identity object could represent a user's account. An identity object is an abstraction over physical realizations such as directory objects.
Lightweight Directory Access Protocol (LDAP): The primary access protocol for Active Directory. Lightweight Directory Access Protocol (LDAP) is an industry-standard protocol, established by the Internet Engineering Task Force (IETF), which allows users to query and update information in a directory service (DS), as described in [MS-ADTS]. The Lightweight Directory Access Protocol can be either version 2 [RFC1777] or version 3 [RFC3377].