The following figure shows an overview of the process of creating a new Signer by the SAM service.
Figure 17: Overview of the Create_New_Signer operation flow
A Privileged User or Privileged User Technical uses the SAM peer interface to request the operation. Authentication and identification of the requesting user is required beforehand.
When the request is retrieved, the SAM service verifies that the requestor is authenticated and identified (based on the processes and configuration presented earlier).
If the authenticity and identity check is successful, the SAM service creates a new Signer based on the data it received with the request. More precisely, the SAM service stores the given user information in the form of a user entry in the SAM DB. Otherwise, an error is returned.
A user entry has the following structure: {UserID, Role, Certificates}. The 'UserID' is a UUID. For a Signer, 'Role' has the value 'Signer'. Certificates' can contain one or more certificates.
|
Purpose |
This operation is invoked by the requestor to create a new Signer. |
||
|
Interface |
SAM Peer Interface (see [IF_SPI]) |
||
|
Method of use |
The operation is called by client software according to the SAM peer interface specification (see [IF_SPI]). |
||
|
Inputs |
Parameter |
Type |
Description |
|
userid |
String |
UserID of the user to be created |
|
|
|
certificates |
Binary[] |
Certificates of the IdP authorized to sign Identity Tokens for this user (multiple certificates are allowed to enable certificate rollover). |
|
Output |
Parameter |
Type |
Description |
|
|
void |
A result without errors indicates a positive operation. |
|
|
Error Messages |
Type |
Reason |
|
|
ContainerParseError |
If the input cannot be parsed into a message container |
||
|
MessageParseError |
If the input data cannot be parsed into the specified message type |
||
|
UnknownMessageType |
The contained message type was not known to the processor |
||
|
UnknownCredentialType |
The credential type included was not known to the processor |
||
|
AuthenticationError |
The credential could not be validated |
||
|
UnknownUser |
The credential could not be associated with a user |
||
|
NotAuthorized |
If the acting user is not authorized to perform the current operation |
||
|
NotOperational |
A component (e.g. , HSM) is not available or not in an operational state |
||
|
UnexpectedError |
When an error condition occurs that was not anticipated |
||
|
InvalidInput |
When the set of certificates is empty |
||
|
Security Audit Log Entry |
In case of success An audit record is created that contains at least the following information |
|
|
|
|
|
In case of an error |
|
|
The following errors emit regular log messages, but no audit log entries (since no acting user could be deduced): |
|
|
|
|
|
Otherwise |
|
|
An audit record is created containing at least the following information |
|
|
|
Table 18: Description of the Create_New_Signer operation