Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migrated to Confluence 5.3

...

1. Log in to the Identity Sever Management Console with an account having login and "manage configuration" permissions (you can simply log in with admin/admin). See Starting Identity Server Management Console on Linux or Starting Identity Server Management Console on Windows.

2. Go to "Policies," listed under the "Entitlement" menu.

...

Here you can build your own XACML request to evaluate the policy you just added. Copy and paste the following on the above screen and click "Evaluate."

Code Block

<Request xmlns="urn:oasis:names:tc:xacml:2.0:context:schema:os" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
    <Subject>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
    <Attribute AttributeId="group"
    DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>admin</AttributeValue>
    </Attribute>
    </Subject>
    <Resource>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>http://localhost:8280/services/echo/echoString</AttributeValue>
    </Attribute>
    </Resource>
    <Action>
    <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" DataType="http://www.w3.org/2001/XMLSchema#string">
    <AttributeValue>read</AttributeValue>
    </Attribute>
    </Action>
    <Environment/>
    </Request>

...

Find the following section of the template policy:

Code Block

<Resources>
    <Resource>
    <ResourceMatch MatchId="urn:oasis:names:tc:xacml:1.0:function:string-regexp-match">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">http://localhost:8280/services/echo/
    <ResourceAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </ResourceMatch>
    </Resource>
    </Resources>

...

Code Block
<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    <SubjectAttributeDesignator
    AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"
    DataType="http://www.w3.org/2001/XMLSchema#string" SubjectCategory="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"/>
    </Apply>
    </Condition>
Code Block

<Condition>
    <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
    <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">admin</AttributeValue>
    <SubjectAttributeDesignator AttributeId="group" DataType="http://www.w3.org/2001/XMLSchema#string"/>
    </Apply>
    </Condition>

Here we validate the "admin" user and any user in the "admin" group.

Excerpt
hiddentrue

A description of the Identity Server as an XACML engine.