PEP client for WSO2 Identity Server PDP

In my previous post, I explained some important things about “EntitlementService“. According to them; when we are writing a PEP client, we need to consider about followings.

Before,  Please note that EntitlementService is admin service according the WSO2 Carbon platform. Therefore WSDL of admin service can not be seen by default and you can not access the admin service without authentication and authorization. More details about WSO2 admin services can be find from here


1. As HTTPS  (SSL over HTTP) is used for communication, your client (PEP)  needs to trust the EntitlementService.  Therefore WSO2 Identity Server’s SSL certificate must be in your PEP’s trust store.

2. PEP must be authenticated and authorized to access the “EntitlementService” .  Authentication can be done using username/password by default. You can create a new user in the WSO2 Identity server by providing user name/password or else any existing user (“admin” user) can be used.  However user must have Manage permission (Admin Permissions -> Manage) to authorized for “EntitlementService”  (Or you can assign the created user in to a role that contains Manage permission).

3. If  username/password is used, PEP can authenticate to Identity Server  using “AuthenticationAdmin” Service or Basic Authentication.  If “AuthenticationAdmin” is used, PEP would receive a cookie for sub sequence communication. You can reuse cookie till it is expired.
4. PEP must send the actual XACML request to EntitlementService with Cookie or Basic Authentication credentials.

Till WSO2 Identity Server 3.2.3, AuthenticationAdmin was the default authenticator. It means, you need to authenticate “AuthenticationAdmin” service and then use the Cookie for sub subsequent communication.  But after 4.0.0 release  default authenticator is the Basic Auth authenticator where you can send PEP’s credentials using Basic Authentication header. Then you need send to actual XACML request to EntitlementService with Basic Auth security header or  received Cookie. Please find the PEP client source from here.

5. If you are using thrift protocol for communication,  There is separate authenticator and thrift server for that. Therefore, First PEP must need to call thrift authentication service and then call the thrift server with actual XACML request. Session id that is received from authentication service, can be used for XACML request.  You can find Thrift based PEP client from here.   However,  with new version of Identity Server,  PEP can send username/password directly instead of session id.