Re: WSO2 IS and XACML Policy

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS and XACML Policy

Nirothipan Megalingham
+ dev

On Sat, Feb 23, 2019 at 4:19 PM Reza Ameri <[hidden email]> wrote:
Hi
Dear All,

We are using WSO2 IS as the Identity Bus for our solutions. We use WSO2 ESB and EI to implement our Integration and use OAuth mediator to connect an API from EI to IS.
Everything works fine in the EI, but we want to create an XACML policy to do two kinds of restrictions at the same time. First, authorize the user against the URI which can be hardcoded in the XACML or saved as a property in user claims. Secondly, authorize the user against the origin IP of the user, I mean imagine that every user saves its IP in its claims, then we check the invoker IP to match the user IP.
We asked this question in StackOverflow [1] and [2]. I think our question was not clear enough.
It is really appreciated to hearing from you.

Thank you,
Reza


--
M.Nirothipan | Senior Software Engineer | WSO2 Inc.
(m) +94772172692 | (e) [hidden email]
http://wso2.com/signature

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|

Re: WSO2 IS and XACML Policy

Senthalan Kanagalingam
Hi Reza,

Refer to this[1] documentation to enable the XACML based access control for Service provider. You need to enable "Enable Authorization" under "Local and Outbound Authentication Configuration" of your service provider and configure the XACML policy. 

(In the policy, as you want to have the URI and IP as user claims, then create two new claims. Let's say http://wso2.org/claims/uri and http://wso2.org/claims/ip)

Then change the policy provided to check for these claims,

<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_travelocity_for_finance_team_policy"        RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
   <Target>
      <AnyOf>
         <AllOf>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">APP_NAME</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"/>
            </Match>
            <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
            </Match>
         </AllOf>
      </AnyOf>
   </Target>
   <Rule Effect="Permit" RuleId="permit_by_uri_and_ip">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">URI</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/uri" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">IP</AttributeValue>
               <AttributeDesignator AttributeId="http://wso2.org/claims/ip" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
            </Apply>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny_others"/>
</Policy>

Then publish the policy. You can also refer to [2] to get an understanding about writing the XACML policies.


thanks,

On Sun, Feb 24, 2019 at 4:28 PM Nirothipan Megalingham <[hidden email]> wrote:
+ dev

On Sat, Feb 23, 2019 at 4:19 PM Reza Ameri <[hidden email]> wrote:
Hi
Dear All,

We are using WSO2 IS as the Identity Bus for our solutions. We use WSO2 ESB and EI to implement our Integration and use OAuth mediator to connect an API from EI to IS.
Everything works fine in the EI, but we want to create an XACML policy to do two kinds of restrictions at the same time. First, authorize the user against the URI which can be hardcoded in the XACML or saved as a property in user claims. Secondly, authorize the user against the origin IP of the user, I mean imagine that every user saves its IP in its claims, then we check the invoker IP to match the user IP.
We asked this question in StackOverflow [1] and [2]. I think our question was not clear enough.
It is really appreciated to hearing from you.

Thank you,
Reza


--
M.Nirothipan | Senior Software Engineer | WSO2 Inc.
(m) +94772172692 | (e) [hidden email]
http://wso2.com/signature
_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev


--
Senthalan Kanagalingam
Software Engineer - WSO2 Inc.
Mobile : +94 (0) 77 18 77 466


_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev