WSO2 Identity server GUI creating different attribute id for policy and request

Question

I have created XACML plocies with Wso2 GUI.

I used Basic Policy Editor for the same. I gave following parameters

For policy (in first tab I only gave Resource Name, kept other fields blank): Resource Names : https://www.xyz.com/blabla/

(in second tab) Rule Effect: Permit

USer's : Role is equals Architect

Action Name : is equals Read

So the policy is generated with this condition:

Architect

here the attribute id is : AttributeId="http://wso2.org/claims/role"

Now while I am trying to test this poicy with Tryit tool, with passing parameter in GUI , the automatic request is being generated from WSO2 which has following attribute id for the Role:

AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id"

And because, the policy attribute id doesn't mached with my test request attribute id is continuously giving Intermediate reply.

I read some blogs and understood that attributeId must be matched while sending the request.

I change the request manually and then its working fine.

The question here is , why WSO2 Identity server is creating request with different attributeID, while we already created the policy from the Same Wso2 identity server? I think both should be matched while you are using the same editor to create it and test it with same parameters.

Or I m missing something here??

Answer 1

I think you mean you are getting Indeterminate instead of Intermediate. There is no such response w/ Intermediate in XACML.

Secondly the attribute ID "urn:oasis:names:tc:xacml:1.0:subject:subject-id" represents the user identity e.g. Alice, Bob, Carol. What your policy needs is the role. You can have a request that only contains the user identity in which case the PDP will have to resolve the role from an underlying source. That underlying source is called a PIP.

You can also directly pass in the role from the request but in that case you do have to make sure the attribute identifier matches the one used in your policy namely http://wso2.org/claims/role.

If you have issues with the UI, give ALFA a go. It gives you more visibility over which attributes are used.

Answer 2

Yes. http://wso2.org/claims/role is refer to user's roles in Identity Server. Then PDP know call the PIP with this claim uri. PIP would extract the roles of the user. Mostly in your case, Indeterminate can be due to that user's roles can be retrieved. Please refer this for get more understand about RBAC/ABAC with Identity Server