The identity token (ID token) is the authorization type used to authenticate users of the server signing.
The ID token contains the user ID, the role of the user is determined from the information in the SAM database. In case of a Privileged User Technical, his role can also be determined based on a signature for which an X.509 certificate is stored in the SAM. The role is checked in the respective operation. An identity token of an unregistered user or the signature of an unregistered X.509 certificate is not accepted.
Below is the more detailed ASN.1 definition of the ID token data structure used.
-- Identity Token
SignedIdentityToken ::= SEQUENCE {
data CompactIdentityToken,
Signer IssuerSerial, signatureAlgorithm AlgorithmIdentifier, signature OCTET STRING,
type OBJECT IDENTIFIER OPTIONAL
}
CompactIdentityToken ::= SEQUENCE {
userId Directory String,
notBefore Generalized Time,
notAfter Generalized Time, groupAssociations SET OF CompactGroupAssiocation, extensions [0] IMPLICIT CompactExtensions
}
CompactExtensions ::= SET OF CompactExtension CompactExtension ::= SEQUENCE {
oid OBJECT IDENTIFIER,
data ANY DEFINED BY oid
}
CompactRoleAssociation ::= CHOICE {
shortRoleAssocaition CompactShortRoleAssociation, longRoleAssocation CompactLongRoleAssocation
}
CompactShortRoleAssociation ::= SEQUENCE { shortId OCTET STRING, extensions [2] IMPLICIT CompactExtensions
}
CompactLongRoleAssocation ::= SEQUENCE {
app [0] Directory String,
role [1] Directory String, extensions [2] IMPLICIT CompactExtensions
}
CompactGroupAssociation ::= SEQUENCE {
id OCTET STRING,
roleAssociations SET OF CompactRoleAssiocation, extensions [0] IMPLICIT CompactExtensions
}