WSO2Con 2013 CFP Banner

Mapping between XACML and Identity-Server security Model

Home » Forums » Project: WSO2 Identity Server (WSO2 IS)
planat's picture
Submitted by planat on December 20, 2011 - 06:38
  Hi, I'm investigating how I could integrate WSO2 IS as a Identity-Store, Auth & AuthZ server in our new product development. I facing currently 2 problems that I cannot find addressed in the dicumentation permission definition We defined our security model containing user/group/roles and permissions. My problem is that I cannot find in WSO2 IS a way to create my own permissions. Role definition is related to the IS platform (configure, manage, monitor). When you deploy WSo2 how do you define the permission your product have to compl with ? XACML subject and security model I can't find neither how the XACML subject can be mapped to the WSO2 IS identity model (user/group). I have seen in one article the usage of AttributeId/AttributeValue. Could you please clarify a little bit how this mapping in done If I decide to adopt WSo2 IS for our product ? Thanks for your help Vincent
‹ configure openid in WSO2is Bug? OpenID Attribute Exchange - generated alias in FetchResponse causes loss of correlation to FetchRequest attribute alias ›
  • 292 reads
asela's picture

Hi Vincent, WSO2 Identity

Submitted by asela on January 24, 2012 - 19:43.
Hi Vincent, WSO2 Identity Server (and all carbon platform) has its own permission model. We can assign permission for the all the resources that are defined in the WSO2 Identity Server. Resources can be browsed using registry browser UI in the management console and you can assign read, write, delete permissions for each resource. Actually here we are using a role base access control (RBAC) Apart from that there are some permission set called management console permissions. They are also same as the registry permission but they are used for special task. The management console permissions can be seen under "role" in user and role UI. There are defined to grant permission for management console UI and admin services. If you want to use the authorization mechanism with WSO2 Identity Server. You can use RBAC by defining your users and role with WSO2 Identity Server. And your resources can be kept as the registry resources. Then you can easily configure read, write, delete permissions for that resource. But better way is to use the XACML engine in WSO2 Identity Server. It is separate authorization frame work. Then any application that you used in your organization, can use the XACML engine as your authorization system. But here also you can use the users, roles and attributes defined in the WSO2 identity Server. Because in XACML there is a concept call Policy Information Point(PIP), where you can plug any number of user stores in to XACML engine for evaluating policies. By default, WSO2 Identity server's XACML engine is shipped with a PIP that calls to its own user store. you can find more in for about XACML and PIP from this [1] blog post [1] http://xacmlinfo.com/ Thanks, Asela