...
| Note |
|---|
|
As admin services are secured to prevent anonymous invocations, you cannot view the WSDL of the admin service by default. Follow the steps below to view and invoke it: Set the <HideAdminServiceWSDLs> element to false in <IS_HOME>/repository/conf/carbon.xml file.
| Code Block |
|---|
| <HideAdminServiceWSDLs>false</HideAdminServiceWSDLs> |
- Restart the Identity Server.
- If you have started the server in default configurations, use the following URL in your browser to see the WSDL of the admin service: eg:
https://localhost:9443/services/EntitlementService?wsdl
For more information on WSO2 admin services and how to invoke an admin service using either SoapUI or any other client program, see Calling Admin Services. |
The following section guides you on entitlement management in two different areas,
...
You can use the following URL in your browser to see the WSDL of the EntitlementPolicyAdminService admin service.
| Code Block |
|---|
https://localhost:9443/services/EntitlementPolicyAdminService?wsdl |
By using any SoapUI, you can call this admin service.
Operations included in the API
The following operations are available in the EntitlementPolicyAdminService
addPolicy()
...
| Parameter | Description |
|---|
claimDialectURI | The URI which defines the new claim dialect. |
...
| title | Click here to see the request |
|---|
...
| Note |
|---|
Note: All the APIs are secured with basic authentication. Follow the steps below to add a basic auth header when calling these methods. - Build a string of the form username:password.
- Encode the string you created above using Base64.
Define an authorization header with the term "Basic_", followed by the encoded string. For example, the basic auth authorization header using "admin" as both username and password is as follows: | Code Block |
|---|
Authorization: Basic YWRtaW46YWRtaW4= |
|
Operations included in the API
The following operations are available in the EntitlementPolicyAdminService
addPolicy()
| Description | Adds a new policy. |
|---|
| Input Parameters | | Parameter | Description |
|---|
policy | The policy that should be registered. The XACML policy should be embedded to the SOAP service as a CDATA. | version | Version of the policy. | policyId | The policy name that should be registered. |
|
|---|
| Request | | Expand |
|---|
| title | Click here to see the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.entitlement.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:addPolicy>
<!--Optional:-->
<xsd:policyDTO>
<!--Optional:-->
<xsd1:policy><![CDATA[
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="samplepolicysample_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>This policy template provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the roles of the user (defined by ROLE_1 and ROLE_2). Users who have at least one of the given roles, will be allowed and any others will be denied.</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:or">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy>
]]>
</xsd1:policy>
<!--Optional:-->
<xsd1:version>1.0</xsd1:version>
<xsd1:policyId>sample_policy_template</xsd1:policyId>
</xsd:policyDTO>
</xsd:addPolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to see the sample response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:addPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:nil="true" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"/>
</ns:addPolicyResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
getAllPolicyIds()
| Description | Retrieve all policy names or policy Ids. |
|---|
| Input Parameters | None
|
|---|
| Request | | Expand |
|---|
| title | Click here to see the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getAllPolicyIds>
</xsd:getAllPolicyIds>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to see the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getAllPolicyIdsResponse xmlns:ns="http://org.apache.axis2/xsd" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd">
<ns:return>authn_role_based_policy_template</ns:return>
<ns:return>authn_scope_based_policy_template</ns:return>
<ns:return>authn_time_and_role_based_policy_template</ns:return>
<ns:return>authn_time_and_scope_based_policy_template</ns:return>
<ns:return>authn_time_and_user_claim_based_policy_template</ns:return>
<ns:return>authn_time_and_user_store_based_policy_template</ns:return>
<ns:return>authn_time_based_policy_template</ns:return>
<ns:return>authn_user_claim_based_policy_template</ns:return>
<ns:return>authn_user_store_based_policy_template</ns:return>
<ns:return>provisioning_role_based_policy</ns:return>
<ns:return>provisioning_role_based_policy_template</ns:return>
<ns:return>provisioning_time_and_role_based_policy_template</ns:return>
<ns:return>provisioning_time_and_user_claim_based_policy_template</ns:return>
<ns:return>provisioning_time_based_policy_template</ns:return>
<ns:return>provisioning_user_claim_based_policy_template</ns:return>
<ns:return>samplePolicy</ns:return>
<ns:return>samplePolicy1</ns:return>
<ns:return>samplepolicy_template</ns:return>
</ns:getAllPolicyIdsResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
getPolicy()
| Description | Retrieve a pre-defined policy. |
|---|
| Input Parameters | | Parameter | Description |
|---|
policyId | The policy name that should be registered. | isPDPPolicy | A boolean which tells whether the policy is published to PDP or not. |
|
|---|
| Request | | Expand |
|---|
| title | Click here to see the request |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:getPolicy>
<!--Optional:-->
<xsd:policyId>authn_time_and_user_claim_based_policy_template</xsd:policyId>
<!--Optional:-->
<xsd:isPDPPolicy>false</xsd:isPDPPolicy>
</xsd:getPolicy>
</soapenv:Body>
</soapenv:Envelope> |
|
|
|---|
| Response | | Expand |
|---|
| title | Click here to see the response |
|---|
| | Code Block |
|---|
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:getPolicyResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2340:PolicyDTO" xmlns:ax2340="http://dto.entitlement.identity.carbon.wso2.org/xsd" xmlns:ax2338="http://entitlement.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2340:active>true</ax2340:active>
<ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
<ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
<ax2340:attributeId>http://wso2.org/identity/sp/sp-name</ax2340:attributeId>
<ax2340:attributeValue>SP_NAME</ax2340:attributeValue>
<ax2340:category>http://wso2.org/identity/sp</ax2340:category>
</ax2340:attributeDTOs>
<ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
<ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
<ax2340:attributeId>http://wso2.org/identity/identity-action/action-name</ax2340:attributeId>
<ax2340:attributeValue>authenticate</ax2340:attributeValue>
<ax2340:category>http://wso2.org/identity/identity-action</ax2340:category>
</ax2340:attributeDTOs>
<ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
<ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#time</ax2340:attributeDataType>
<ax2340:attributeId>urn:oasis:names:tc:xacml:1.0:environment:current-time</ax2340:attributeId>
<ax2340:attributeValue>09:00:00</ax2340:attributeValue>
<ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</ax2340:category>
</ax2340:attributeDTOs>
<ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
<ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#time</ax2340:attributeDataType>
<ax2340:attributeId>urn:oasis:names:tc:xacml:1.0:environment:current-time</ax2340:attributeId>
<ax2340:attributeValue>17:00:00</ax2340:attributeValue>
<ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:environment</ax2340:category>
</ax2340:attributeDTOs>
<ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
<ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
<ax2340:attributeId>CLAIM_URI_1</ax2340:attributeId>
<ax2340:attributeValue>CLAIM_VALUE_1</ax2340:attributeValue>
<ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</ax2340:category>
</ax2340:attributeDTOs>
<ax2340:attributeDTOs xsi:type="ax2340:AttributeDTO">
<ax2340:attributeDataType>http://www.w3.org/2001/XMLSchema#string</ax2340:attributeDataType>
<ax2340:attributeId>CLAIM_URI_2</ax2340:attributeId>
<ax2340:attributeValue>CLAIM_VALUE_2</ax2340:attributeValue>
<ax2340:category>urn:oasis:names:tc:xacml:3.0:attribute-category:resource</ax2340:category>
</ax2340:attributeDTOs>
<ax2340:lastModifiedTime>1508817592043</ax2340:lastModifiedTime>
<ax2340:lastModifiedUser xsi:nil="true"/>
<ax2340:policy><![CDATA[<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="authn_time_and_user_claim_based_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0"><Description>This template policy provides ability to authorize users to a given service provider(defined by SP_NAME) in the authentication flow based on the claim values of the user (CLAIM_URI_1=CLAIM_VALUE_1 and CLAIM_URI_2=CLAIM_VALUE_2) and the time of the day (eg. between 09:00:00 to 17:00:00). Users with the given claim values and who are logged in within the given time range will be allowed and any other users will be denied.</Description><Target><AnyOf><AllOf><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue><AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator></Match><Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal"><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">authenticate</AttributeValue><AttributeDesignator AttributeId="http://wso2.org/identity/identity-action/action-name" Category="http://wso2.org/identity/identity-action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator></Match></AllOf></AnyOf></Target><Rule Effect="Permit" RuleId="permit_by_claims_and_time"><Condition><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and"><Apply FunctionId="urn:oasis:names:tc:xacml:2.0:function:time-in-range"><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:time-one-and-only"><AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-time" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#time" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">09:00:00</AttributeValue><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#time">17:00:00</AttributeValue></Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal" |
|
|
|---|
>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">SP_NAME</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/identity/sp/sp-name" Category="http://wso2.org/identity/sp><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only"><AttributeDesignator AttributeId="CLAIM_URI_1" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001 |
|
|
/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="permit_by_roles">
<Condition>
<Apply /XMLSchema#string" MustBePresent="true"></AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLAIM_VALUE_1</AttributeValue></Apply><Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function: |
|
|
or">
<Apply string-equal"><Apply FunctionId="urn:oasis:names:tc:xacml: |
|
|
1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">ROLE_1_1_1</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role1.0:function:string-one-and-only"><AttributeDesignator AttributeId="CLAIM_URI_2" Category="urn:oasis:names:tc:xacml: |
|
|
1subjectaccess-subjectresource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true">< |
|
|
/AttributeDesignator>
/AttributeDesignator></Apply><AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">CLAIM_VALUE_2</AttributeValue></Apply></Apply></Condition></Rule><Rule Effect="Deny" RuleId="deny_others"></Rule></Policy>]]></ax2340:policy>
|
|
|
</Apply>
<ax2340:policyEditor xsi:nil="true"/>
|
|
|
</Apply> <ax2340:policyId>authn_time_and_user_claim_based_policy_template</ax2340:policyId>
|
|
|
</Condition> </Rule> <Rule Effect="Deny" RuleId="deny_others"></Rule>
</Policy> <ax2340:policyOrder>12</ax2340:policyOrder>
|
|
|
]]>
</xsd1:policy> <ax2340:policyType>Policy</ax2340:policyType>
|
|
|
<!--Optional:--><ax2340:promote>false</ax2340:promote>
|
|
|
<xsd1version>1.0<xsd1xsdpolicyDTO>xsdaddPolicy>getPolicyResponse>
</soapenv:Body>
</soapenv:Envelope> |
|
|
ResponsePolicy Evaluation API
| Table of Contents |
|---|
| maxLevel | 4 |
|---|
| minLevel | 4 |
|---|
| type | flat |
|---|
|
...