1. 11

2. 2 1.read policy for submitOrder() client application 2. call submitOrder() including [planky, ****] submitOrder() requires [name,password] cred

3. 3 1.read policy for submitOrder() 2.read policy for request security token 3.request security token passing [planky, ****] submitOrder() requires {role} from sts_authentication {role} requires [name,password] cred security token service sts_authentication application

4. 4 5.call “submit order” with security token security token service sts_authentication 4. request security token response {role=purchaser} signed sts_authentication mapping: (planky,****)  {role = purchaser} “submit order” requires {role} from sts_authentication application

5. 5 1.read policy for submitOrder() security token service sts_authorization “authorization claims provider” security token service sts_authentication “identity claims provider” 2.read policy for request security token 4.request security token passing [planky’s kerb ticket] 3.read policy for request security token submitOrder() requires {submit order} from sts_authorization {submit order} requires {role} claim from sts_authentication {role} requires [kerb ticket] or [name/pwd] cred client application

6. 6 call submitOrder() client security token service sts_authorization security token service sts_authentication mapping: planky  {role = purchaser} mapping: {role = purchaser}  {submit order = true} {role=purchaser} signed sts_authentication {submit order = true} signed sts_authorization {role=purchaser} signed sts_authentication submitOrder() requires {submit order} claim from sts_authorization submitOrder() requires {role} claim from sts_authentication application