WSO2 Identity Server as an XACML Engine

What is XACML?

XACML (eXtensible Access Control Markup Language) is an XML-based language for access control that has been standardized by the Technical Committee of the OASIS consortium. XACML is popular as a fine grain authorization method among the community.

In my previous blog; “Beginner’s guide to XACML”, I have discussed the basics of XACML. If you are new to XACML, that blog will be helpful for you to understand the XACML architecture, basic syntaxes, and how to write a simple XACML policy.

In this blog, I will walk you through how you can enforce XACML policies in WSO2 Identity Server for fine-grained authorization. It includes full support for policies based on XACML 2.0 and 3.0.

I’m using the latest version of WSO2 Identity Server 5.10.0. You can download the product from the WSO2 website.[1]

XACML Architecture

The above diagram shows the XACML architecture. XACML policy creation and the publishing steps are marked with the green arrows. Let’s see how we can create an XACML policy with Identity Server

Assuming that you are familiar with the WSO2 Identity Server, I will straightly jump into configuring XACML policies. Otherwise you can read our official documentation. [2]

Scenario

Enforced Policy
If the user is trying to GET the resourceA, in order to grant access he/she should be from the country Sri Lanka and should have the role “Engineer”.

Prerequisites
For this sample, I have created three users as follows in the identity server.

• user “Alice” with role “Engineer” in Sri Lanka
• user “Bob” with role “Engineer” in America
• user “George” with role “Manager” in Australia

Let’s see how we can enforce this authorization policy using the WSO2 Identity Server. The policy will evaluate the “http://wso2.org/claims/role” and the “http://wso2.org/claims/country” of the subject.

Create Policy

1. Log in to the Management Console using your username and password.
2. Navigate to the Main menu to access the Entitlement menu. Click Policy Administration under PAP.

Policy Administration Point

3. Click on “Add New Entitlement Policy” to create a new XACML policy

Add New Policy View

4. You can select a policy creation method from the next UI. I will write a policy using XML.

You can copy the policy given below and click on the “Save Policy” button.

The sample policy is successfully created. Now you need to add it to the PDP in order to be evaluated. Let’s see how you can do that.

Publish Policy

1. Navigate to the Main menu to access the Entitlement menu. Click Policy Administration under PAP.
2. Now you can see all the policies you have. Click on the “Publish To My PDP” against the policy that we wrote just now.

PAP view

3. Then click on “Publish” after selecting the necessary options.

Policy Decision Point

1. Navigate to the Main menu to access the Entitlement menu. Click Policy View under PDP. You can see the published list of policies here.

PDP View

When you have multiple policies, you can define the policy combining algorithm from the PDP.

Trying it out

The XACML TryIt Tool allows users to test their policies easily without creating and sending authorization requests to WSO2 Identity Server. It is a UI tool through which authorization requests can be created and evaluated against available policies in the system. You can create simple authorization requests using the web UI of the TryIt Tool.

1. Log in to the Management Console.
2. Click Tools and click TryIt under the XACML section.

TryIt tool

3. The following fields are given in the create request UI. You can construct your request by filling out these fields.

• Multiple Request — This enables you to evaluate multiple requests in order to make multiple decisions on multiple actions.
• Return Policy List — Returns a list of all fully applicable policies and policy sets that were used in the decision.
• Resource — Represents the resource that the user has requested to access.
• Subject Name — Identifies the user who is accessing the resources.
• Action Name — Action the user is trying to perform.
• Environment Name — Provides additional information to evaluate the request, such as the current date and time, etc.

I have highlighted three buttons here.

1. Create Request Using Editor: You can write the request in XML. If you have any other attributes other than the things given in the create request UI, you can choose to write the request in XML
2. Create Request: The generated request appears on the editor. You can further edit the request if required.
3. Evaluate With PDP: Once you click on this button, your request is evaluated against the policies in the PDP. You will receive a response to the authorization request.

If you want to test a single policy without publishing it to the PDP, you can use the TryIt Tool against that policy only. If so, click on the “Try” button in front of the required policy. The request creation is the same as above.

I hope you got an idea on defining and testing the XACML policies with the WSO2 Identity Server. So you can get the WSO2 Identity Server and try it out yourselves. If you have any questions, I’m happy to help.

Thanks for reading.

See you soon with more information on customizing the WSO2 Identity Server XACML Engine.

[1] https://wso2.com/identity-and-access-management/

[2] https://is.docs.wso2.com/en/latest/

My other blogs on XACML:

1. A beginner’s guide to XACML
2. Customizing XACML Policy Information Point of WSO2 Identity Server 5.10.0
3. Custom XACML functions for WSO2 Identity Server 5.10.0