Balana and WSO2 Identity Server giving different results - wso2

I have a policy and when i run a request in WSO2 Identity Server i get permit decision as expected. But when i create another sample policy from:
http://svn.wso2.org/repos/wso2/carbon/platform/tags/4.0.7/products/is/4.1.0/modules/distribution/conf/policies/sample-kmarket-sliver-policy.xml
And send my same request again, i get following error:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:missing-attribute"/>
<StatusMessage>Couldn't find AttributeDesignator attribute</StatusMessage>
<StatusDetail>
<MissingAttributeDetail AttributeId="http://kmarket.com/id/role" DataType="http://www.w3.org/2001/XMLSchema#string" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" ></MissingAttributeDetail>
</StatusDetail>
</Status>
</Result>
</Response>
For some reason request is being run against this sample policy instead of my original policy. Now interesting thing is I downloaded Balana (XACML Engine used by WSO2 Identity Server) source code and ran tests with both policies and my request and i am getting Permit as expected. But when i do the same in WSO2 its not working and i am getting Indeterminate error. I tried both 'Try It' feature and 'Evaluate with PDP' with same results.
Here is the request i used, why is this being applied to the sample policy and not my original policy via WSO2 but not Balana?
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">write</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:subject:provider-npi" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1548797430</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:recipient-subject">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:subject:provider-npi" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">1347570297</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:purpose-of-use">
<Attribute AttributeId="urn:samhsa:names:tc:company:1.0:purpose-of-use-code" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">TREAT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">#outlook.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:current-dateTime" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#dateTime">2013-07-12T00:00:00-04:00</AttributeValue>
</Attribute>
</Attributes>
</Request>


According to the error, it seems that attribute finder is not configure. I guess policy has a attribute id called "http://kmarket.com/id/role" But it is not in the request, so attribute finder is called. you need to register an attribute finder to support it... Please find sample attribute finder from here [1]. In balana sample, this attribute finder has been already there with the sample itself
[1] http://svn.wso2.org/repos/wso2/carbon/platform/tags/4.0.7/components/identity/org.wso2.carbon.identity.samples.entitlement.pip/

Related

Authzforce condition evaluation of matchAny in multi-valued string

I'm looking for a way to define a condition in a policy rule, so that when we pass a multiple string value in our certificate and try to authenticate authzforce against that rule, assuming the string value in the condition is equal to one of the string values we passed in the certificate, I want the rule to evaluate to 'true'.
For example if the attribute value of the condition is "DNS:google.com" and the multiple value string we receive from the certificate are: ["DNS:google.nl" ,"DNS:google.com"], I would expect to get the rule evaluated to 'true' as one of those values are equal to the value of the condition ("DNS:google.com").
I tried to achieve this defining a rule with this condition:
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
I used the 'string-is-in' XACML operator in the condition, however the rule evaluates to false.
The attributes I send via the certificate using the crypto library look like this when they reach the PDP:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>
Right now, the way I defined the condition rule and the the way I sent the multi-string in the certificate, I manage to get the rulet to evaluate to 'true' only if ALL values of the certificate are equal or contain the string value of the condition as a substring. So its more of a "matchAll". That is not what I want - I would like the rule to be evaluated to 'true' if we even have one string on the multi-string in the certificate equal to the string in the condition - meaning a an i'm looking to implement a "matchAny" approach rather than the "matchAll" approach I have here.
Could you please advise me why the rule evaluates to 'false' with my current implementation and how to correct it, using perhaps a different XACML operator?
Pasting the policy below as well as in the comments.
<PolicySet PolicySetId="root" Version="0.1.2" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:deny-unless-permit"
xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Target/>
<Policy PolicyId="dbfcb643-cb39-4560-9c11-95112df970d0" Version="0.1.0" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-unless-permit" MaxDelegationDepth="10">
<Description>Policy for EAP authentications by SAN dns domains</Description>
<Target/>
<Rule RuleId="86ef9adb-2acb-43a1-aac6-b01fdeab9a44" Effect="Permit">
<Description>Permit by certificate's SAN dns domain</Description>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Description>new condition</Description>
<Apply FunctionId="urn:oasis:names:tc:xacml:3.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">EAP</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" AttributeId="urn:oasis:names:tc:xacml:1.0:environment:radius-auth-type" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
<AttributeDesignator Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate" AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Apply>
</Condition>
<AdviceExpressions>
<AdviceExpression AdviceId="authorization-result" AppliesTo="Permit">
<AttributeAssignmentExpression AttributeId="profile-id">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">bbfc5e21-0e9f-40a6-a5c6-fedd921bff2c</AttributeValue>
</AttributeAssignmentExpression>
</AdviceExpression>
</AdviceExpressions>
</Rule>
</Policy>

I found the bug, it was in the way build our request, originally our request was structured it like:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>`
The way it should be is like:
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:certificate">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">DNS:google.com</AttributeValue>
</Attribute>
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:certificate-category:subject-alternative-name" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string"> DNS:google.nl</AttributeValue>
</Attribute>
</Attributes>
Meaning the are nesting all the attributes within them rather than wrapping each attribute separately. When I structure the request as the latter the policy evaluation returns 'Permit'.

wso2mi 4.1 - Get CN from an X509 certificate for XACML subject-id

I followed applying security to a proxy service article.
My problem is that in the XACML request the subject-id property value is an LDAP query "CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US". what should I do to just commonName (CN) value become subject-id?
My entitlement mediator:
<entitlementService
callbackClass="org.wso2.micro.integrator.identity.entitlement.mediator.callback.X509EntitlementCallbackHandler"
remoteServiceUrl=" https://testdomain.org:9444/services/"
client="basicAuth"
remoteServicePassword="admin"
remoteServiceUserName="admin">
XACML request that entitlement mediator made:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
</AttributeValue></Attribute></Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
read
</AttributeValue></Attribute></Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
/services/SecureProxy/createUser
</AttributeValue></Attribute></Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="IssuerDN" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
CN=localhost, OU=WSO2, O=WSO2, L=Mountain View, ST=CA, C=US
</AttributeValue></Attribute>
<Attribute AttributeId="SignatureAlgorithm" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">
SHA256withRSA
</AttributeValue></Attribute></Attributes></Request>
WSO2 Micro Integrator 4.1, Identity Server 5.11, and SoapUI 5.7.0.

WSO2 Idenity, XACML Simple Editor, Try It tool - Rules Evaluation

I wrote a basic test case with XACML using the Simple Editor tool.
My rule: "Only doctor can access medical records"
When using the role name "admin", all works OK and the answer from the request is "permit".
Case I update the role, both in the policy and request and set it to the value: "doctor", then the rules engine returns a erroneous "deny". For testing, I've also recorded a user role name with the value "doctor", which is the desired value and added one ID under the WSO2 console.
Why XACML under WSO2 constantly denies any evaluation request when using other role then "doctor"? (see the resulting policy and request statements below)
Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="MedicalRecords" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">
<Description>doctors</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="Rule-1">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Match>
</AllOf>
</AnyOf>
</Target>
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:any-of">
<Function FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal"/>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
</Apply>
</Condition>
</Rule>
<Rule Effect="Deny" RuleId="Deny-Rule"/>
</Policy>
Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
Thanks for feedback and support.
Regards,
Claude

Since you have added http://wso2.org/claims/role as the AttributeId for the subject, following should be your XACML request
<?xml version="1.0" encoding="UTF-8"?>
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">update</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="http://wso2.org/claims/role" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">doctor</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">MedicalRecords</AttributeValue>
</Attribute>
</Attributes>
</Request>
in XAML values are matches against AttributeId, you must use the same AttributeId. Butm you have used urn:oasis:names:tc:xacml:1.0:subject:subject-id as the AttributeId in the request.

XACML PolicySet and Request with example

I am new in XACML.I am planing to implement RBAC in our organization applications using XACML policy and Wso2 ID server. I had read many articles on creating different different XACML policy using wso2 and I also try many policy example.but after go through all the available example I didn't find proper way to creating XACML policyset and reuest for policy set. I try it by my self to create XACML PolicySet but when I try to execute this policyset in wso2 Id server then it gives me 'not applicable' error every time.I try a lot for creating XACML policyset in different way but when i create request for that then it not gives me proper result.
Help me to give proper example of XACML policyset and it's request.
Here I added my policyset and policy and also it's request. please let me know what was wrong in it.
Role Created in wso2Id is :- testRole
and assign this role to testUser
PolicySet is :-
<PolicySet xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyCombiningAlgId="urn:oasis:names:tc:xacml:3.0:policy-combining-algorithm:permit-overrides" PolicySetId="PolicySetExample" Version="1.0">
<Description>TestPolicySet</Description>
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<PolicyIdReference>ComplexPolicy</PolicyIdReference>
</PolicySet>
Policy
<Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" PolicyId="ComplexPolicy" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:permit-overrides" Version="1.0">
<Target>
<AnyOf>
<AllOf>
<Match MatchId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Match>
</AllOf>
</AnyOf>
</Target>
<Rule Effect="Permit" RuleId="PermitForTestUser">
<Condition>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">view</AttributeValue>
</Apply>
<AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
<Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-is-in">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testRole</AttributeValue>
<AttributeDesignator AttributeId="http://wso2.org/claims/role" Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"></AttributeDesignator>
</Apply>
</Apply>
</Condition>
</Rule>
</Policy>
PolicySet Request
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">testU</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:environment">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:environment:environment-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">H1</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index.jsp</AttributeValue>
</Attribute>
</Attributes>

If you are using Policy Set with WSO2IS, Please note following.
You need to publish both Policy Set policy and reference policies in to PDP.
Then you need to enable the Policy Set in the PDP. You can keep the reference policies as disabled policies.
Please refer more detail from here as well
If you are going to implement RBAC and ABAC with WSO2 Identity Server, I recommnad for you to go through this to get more understanding.

I tested your policy using the Axiomatics Policy Server (see screenshot):
I then tested the policy set using our simulator:
I received Indeterminate back as a response. The root cause of the Indeterminate is that your Condition inside the Rule has a flag called MustBePresent set to true on the http://wso2.org/claims/role attribute and that for some reason the evaluation did not retrieve any values.
It seems like the WSO2 IS is not retrieving the values for the role attribute. You want to check your configuration w/in WSO2 IS. Alternatively, test out the Axiomatics Policy Server.
HTH

MultipleRequest in WSO2 Identity Server

I would like to know whether WSO2 Identity Server supports multipleRequests?
When I try to formulate the following request
:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" CombinedDecision="false" ReturnPolicyIdList="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" id="action1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GET</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" id="action2">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">GETT</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" id="subject1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cijoy</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject" id="subject2">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">cijoyy</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" id="resource1">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/Entitlement_Sample_WebApp/protected.jsp</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" id="resource2">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/Entitlement_Sample_WebApp/protected.jspp</AttributeValue>
</Attribute>
</Attributes>
<MultiRequests>
<RequestReference>
<AttributesReference ReferenceId="subject1"/>
<!-- Is Subject necesary? -->
<AttributesReference ReferenceId="action1"/>
<!-- Is Action necessary -->
<AttributesReference ReferenceId="resource1"/>
<!-- This generates a normal single Resource request -->
</RequestReference>
</MultiRequests>
</Request>
It throws In determinant Error saying
Invalid request : Error parsing required ReferenceId in MultiRequestType
Any working sample? Any idea?

Yes you can do it with Balana XACML 3.0 . This link would be of help.