Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The Entitlement Mediator intercepts requests and evaluates the actions performed by a user against an eXtensible Access Control Markup Language (XACML) policy. WSO2 Identity Server can be used as the XACML Policy Decision Point (PDP) where the policy is set, and WSO2 ESB EI serves as the XACML Policy Enforcement Point (PEP) where the policy is enforced.   

...

Table of Contents
maxLevel3
minLevel3
locationtop
styleborder:1locationtop
typeflat
separatorpipe

...

Syntax

...

Parameter NameDescription
Entitlement ServerServer URL of the WSO2 Identity Server that acts as the PDP (e.g.,  https://localhost:9443/services ).
User NameThis user should have permissions to log in and manage configurations in the WSO2 Identity Server.
PasswordThe password of the username entered in the User Name parameter.
Entitlement Callback Handler

The handler that should be used to get the subject (user name) for the XACML request.

  • UT: This class looks for the subject name in the Axis2 message context under the username property. This is useful when the UsernameToken security is enabled in WSO2 ESB EI for a proxy service, because when the user is authenticated for such a proxy service, the username would be set in the Axis2 message context. As a result, the Entitlement mediator would automatically get the subject value for the XACML request from there. This is the default callback class.
  • X509: Specify this class if the proxy is secured with X509 certificates.
  • SAML: Specify this class if the proxy is secured with WS-Trust.

  • Kerberos: Specify this class if the proxy is secured with Kerberos.

  • Custom: This allows you to specify a custom entitlement callback handler class. 

Info

You can also set properties that control how the subject is retrieved; see Advanced Callback Properties.

Entitlement Service Client

The method of communication to use between the PEP and the PDP. For SOAP, choose whether to use Basic Authentication (available with WSO2 Identify Server 4.0.0 and later) OR the AuthenticationAdmin service, which authenticates with the Entitlement service in Identity Server 3.2.3 and earlier. Thrift uses its own authentication service over TCP. WS-XACML uses Basic Authentication.

Info

The XAMCL standard refrains from specifying which method should be used to communicate from the PEP to the PDP, and many vendors have implemented a proprietary approach. There is a standard called “Web Services Profile of XACML (WS-XACML) Version 1.0″, but it has not been widely adopted because of its bias toward SOAP and the performance implications from XML signatures. However, the benefit of adopting a standard is the elimination of vendor locking, because it will allow your current PEP to work even if you move to a PDP from another vendor (as long as the new PDP also supports this standard). Otherwise you may need to modify your existing PEP to adopt to the new PDP. WSO2 Identity Server has its proprietary SOAP API, Thrift API, and basic support for WS-XACML.

Thrift HostThe host used to establish a Thrift connection with the Entitlement service when the Entitlement Service Client is set to Thrift.
Thrift PortThe port used to establish a Thrift connection with the Entitlement service when the Entitlement Service Client is set to Thrift. The default port is 10500.

...