Getting start with XACML In WSO2 Identity Server

As I have explained here, there are some improvements in entitlement management with Identity Server 4.5.0/5.0.0  If you just look for entitlement management console UI of 4.5.0/5.0.0 version,  you would feel,  it is little bit new.  Therefore i am using this blog post to give you some idea of it. I will go through step by step from defining a policy and evaluating it.

Step 1. Creating XACML Policy usig PAP

  • You can go to policy management UI of the PAP (Policy Administrator Point) and Click on “Add New Entitlement Policy”

  • You have three policy editors to create a policy from scratch Or else if you have an existing policy, you can import policy.

  •  Lets create simple XACML 3.0  policy for demonstration  using “Simple Policy Editor”. In this policy,  we allow “read” access to “foo” resource only for a user with user name “bob”.  All others are denied.


Step 2. Test Created Policy in PAP

  • Now we are going to test this policy individually. Click on “Try” icon.

  • We could create  XACML request using try it tool.  Lets give resource name as  “foo”, subject name as  “bob” and action name as  “read”.  If you want to create the request and see the XML response, you can go to XML view by clicking on “Create Request”

  • By trying out with different values, You can confirm that the policy works well.

Step 3. Publish Policy to PDP Policy store

  •  Now you can publish policy to PDP for run time evaluation. If you need to publish policy in to an external PDP (PDPs),  you can use the “Publish” icon.

  • If you only need to publish policy in to your own PDP (PDP that is running in same Identity Server instance) . Then you can use “Publish To My PDP” option. I am going to publish it to My PDP.

  • Here we have to select preferences on publishing.  We are going to publish a new policy,  therefore we can use “Add Policy”.  If you have several versions of this policy,  you can select a policy version. Also if you need to define specific PDP order for the policy,  you would be able to do it. However here,  i am publishing the policy with default options.


Step 4.  Verify whether Policy Publishing has been done correctly.

Publishing is done by creating new threads.  Therefore you can not see any “INFO” massages in UI. So you need to check using following ways.

  • Using  policy status.

  • Using Subscriber status.  You can go to relevant subscriber and check status of it.

  • If you have published policy to your own PDP (PDP that is running in same Identity Server instance). You can use PDP policy view  and check whether policy has been published properly.

Step 5. Enable Policy in PDP Policy Store.  (With Identity Server 5.0.0,  Policy is enabled by default.  Therefore you can ignore this step)

Enabling policy means, you are putting that policy in to the PDP evaluation run time. By default, using management console UI,  you can not publish a policy as an “enabled policy” in PDP.  I guess It would be fixed  in further release. Therefore you need to enable it manually.  There are two ways to do it.

  • Publish the policy again with “enable” action

  • If you have published policy to your own PDP (PDP that is running in same Identity Server instance). You can go to PDP policy view and enable the policy from there.

Step 6. Try policy using PEP.    There is a “Try It” tool which is a sample PEP implementation within the Identity Server instance.

(In Identity Server 5.0.0  “TryIt” can be found  from  “Home>Tools>XACML>TryIt”  location.)

Note : Once you edit a policy using PAP management UI,  You must publish that changes in to PDP policy store.

Now you are done…..   ?