Authzforce PDP does it support custom policies apart from xacml policies?. We are able to send xacml request tp PDP but as the policy creation is in xacml is complex we decided to create our own policies using json format, does Authforce able to support policies written in nonxacaml format? Need some assistance here.
You can write policies in ALFA, then use the ALFA Compiler (1.2 or later), i.e. alfac.jar to convert to XACML before sending the policies to AuthzForce. More info in the ALFA 1.2 User Guide (provided with the Compiler), in section XACML generation using the standalone ALFA compiler.
As an alternative, the AuthzForce project xacml-json-model provides:
A JSON schema for policies, closely equivalent to XACML, more info in the README;
A few examples of policies in this JSON format for testing, with various levels of complexity;
XSLT stylesheets to translate this JSON policies into XACML 3.0 automatically, with help of your favorite XSLT 3.0 library/processor, more info in the README, e.g. in a command line with SAXON XSLT library:
$ java -jar Saxon-HE-9.8.0-15.jar -xsl:xacml-policy-json-to-xml.xsl -it inJsonFile=MyPolicy.json
Related
As part of WSO2 identity server 6.0.0, SOAP APIs are deprecated and recommended to use REST-based APIs. We are using RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs in our project, want to replace the SOAP APIs with recommended REST APIs. Can you help us to find the list of REST APIs to replace RemoteUserStoreManagerService.wsdl and UserIdentityManagementAdminService.wsdl SOAP APIs. The APIs document is not clear.
We are unable to find the replacement for the claim management APIs which are specific to user.The APIs which are provided for the Claim management are not user specific, we want to retrieve/create/delete the claims by passing username or userid in the request payload.
Can you please provide the details that are such APIs available for the claim management.
The REST API that you have mentioned matches the ClaimMetadataManagementService.wsdl https://is.docs.wso2.com/en/5.11.0/develop/managing-claims-with-apis/
The only available REST API to manage user claims (retrieving, updating, deleting) is SCIM 2.0 Users APIs https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/getUser
The thing you have to keep in mind is that SCIM is a protocol that is used for user management. Even though you directly used the local claim URIs in SOAP services to manage user claims, in SCIM API calls you to have to use the respective SCIM claim that is mapped to the local claim.
Check the SCIM Claim Dialects by navigating to management console -> Main -> Identity -> Claims -> List.
There you can find the SCIM claim to local claim mapping
eg:
Get Specific user's name, username claims. Required attributes should be added to attributes param based on the SCIM protocol:
GET https://localhost:9443/scim2/Users/<user-id>?attributes=username,name
Add user claims:
Refer https://is.docs.wso2.com/en/latest/apis/scim2-patch-operations/#add-user-attributes
and https://medium.com/p/1c43bb218658
Delete user claims:
Refer https://is.docs.wso2.com/en/latest/apis/scim2-patch-operations/#remove-user-attributes
and https://medium.com/p/1c43bb218658
A similar issue was raised here. Check the first answer.
The doc that you have referred is to manage the claims in general. Refer to the introduction paragraph.
The API overview page contains all the information about all the APIs you need. The following image shows the APIs needed to mange users, roles and groups (More than what you have asked in the question).
NOTE: Better not to use SCIM1.1
I am writing API specs for a service that requires AWS auth. But I can't find any information as to how to add this authentication in the specs. ( What I did find was this: https://support.smartbear.com/swaggerhub/docs/integrations/amazon-api-gateway.html, which seems needs you to integrate with AWS. But I do not want/need any such integration. My API spec is only supposed to be documentation for how a user is supposed to use them.)
When I was trying "JSON/XML Threat Protection for API Gateway" in WSO2 APIM 3.1.0, by adding a mediation policy. It isn't considering the custom policy that I've written, it's taking the default values which are 100.
Anything more I should be adding, please suggest!
Once a new mediation sequence is implemented, it needs to be upload and select as a mediation sequence in the "Message Mediation" section. Once selected need to republish to apply the changes.
You can confirm this by checking the generated sequences file in the <AM_HOME>/repository/deployment/server/synapse-configs/default/sequences. The file format will be <provider>--<API-Name>_v<Version>--<Direction>.xml
We want to use WSO2 as IAM framwork for our Internal and external applications.
We have below 3 main requirements.
WSO2 should be able to Authenticate user using LDAP (Active
Directory for Internal Employees ) or other data source for external
users.
We want to configure API access level in WSO2 example : ROLE based Authorization (or Policy based ) where we can configure who can access which
web API with Http verb.
We should be able dynamically add/update/delete users , update Authorization policies/ roles through WSO2 API.
Please let me know if this is out of box supported in community edition or we have to buy any licenses for the same.
Note: I have installed the server and playing around as well.
Yes these requirements are possible with WSO2 IS (Product stack)
You can easily plug an existing LDAP user store to WSO2 IS. (https://docs.wso2.com/display/IS530/Configuring+a+Read-write+LDAP+User+Store)
I am not 100% clear about what you are asking here. But if you are talking about IS APIs (Which specified in point number 3) you can do them solely with IS by little customization or else you can use WSO2 ESB with entitlement mediator to add XACML policies.
There are SOAP admin services(Non standard but able to update authorization polices etc) and REST services. (Standard SCIM 2.0 for user operations)
https://docs.wso2.com/display/IS530/Calling+Admin+Services
https://docs.wso2.com/display/IS530/SCIM+1.1+APIs
I'm running the wso2is-4.6.0
I've created a policy like allowing a user with a specific role to access a resource.
When I TryIt, the wso2is manager just propose me a Subject Name (urn:oasis:names:tc:xacml:1.0:subject:subject-id). I've seen in previous version of wso2Is see here that it was possible to define a Subject Attribute Name (in my case it would be http://wso2.org/claims/role).
The result is that I can't test my request with the current version as the attributeId generated by wso2 tryIt tool refer to a subject-id where I need a http://wso2.org/claims/role
Any way to have this Tryit page more customizable ?
Thanks for your help and support
Regards
Vpl
TryIt is a simple tool that you can create the XACML request. It can not support all options that are available. However when its some to new version, It seems to be that attribute Id selection has been removed. But you can file the attribute values and create the sample XACML request in XML view. Then you would find that the attribute id of created XACML request would be urn:oasis:names:tc:xacml:1.0:subject:subject-id. Therefore you can easily modify it to http://wso2.org/claims/role and try out the policy.