XacmlAttributeValueTemplate

XACML attribute value template configuration allows to create and edit templates for attribute values used with attribute child elements of XACML request or policy elements.

Description

Description of the configuration object

Source

The source or holder of the attribute value. Depending on the selected source, the following fields may be set:

  • CONSTANT - 'Constant value' field that allows you to assign a constant.

  • CONSTANT_DELIMITER - 'Constant value delimiter' field, if present, will split the CONSTANT into multiple values.

  • ENVIRONMENT - 'source abstraction' list from which you can select an environmental abstraction, such as TIME.

  • FEDERATION_SERVICE - 'source abstraction' list from which you can select ISSUED_SAML_ASSERTION. Depending on the selected 'source abstraction', the following fields may also be displayed: Source abstraction detail, SAML assertion construction template identifier.

  • USER_SERVICE - 'source abstraction' list from which you can select a user service abstraction such as LDAP_ATTRIBUTE. Depending on the selected 'source abstraction', the following fields may also be displayed in 'source abstraction detail': LDAP attribute name.

  • SSO_SERVICE - 'source abstraction' list from which you can select an SSO service abstraction such as X509_CERTIFICATE. Depending on the selected 'source abstraction', the following fields may also be displayed in 'source abstraction detail': Client id, Custom data name, Detail, Property id, SAML attribute name, SAML attribute name format, User profile attribute name, Third-party data name.

  • AUTHORIZATION_SERVICE - 'source abstraction' list from which you can select an authorization service abstraction such as XACML_OBLIGATIONS. Depending on the selected 'source abstraction', the following fields may also be selected in 'source abstraction detail': XACML PDP identifier, XACML request construction template identifier, AttributeId of attribute to be read from XACML obligations, DataType of attribute to be read from XACML obligations.

  • COMBINED - Allows you to obtain values from multiple sources and combine them via abstractions such as FIRST_EXISTING and CONCATENATION.

  • CUSTOM - 'source abstraction' list from which you can select a custom abstraction such as RANDOM_UUID. Depending on the selected 'source abstraction', the following fields may also be displayed: Detail.

  • REQUEST - No additional fields.

  • DATA_SERVICE - The identifier of the Data Service instance configured in LdapDataService.

    • Search base override - The search base which should be used instead of the default search base of the service.

    • Search scope - The search scope parameter according the RFC 4516.

    • Attributes to return - The list of the attributes to be returned as the result of the query. All values of the returned attributes are merged in a single list (using the Multi value separator to separate their values). The order of the attributes in the list is respected when merging their values.

    • Filter string - An LDAP filter which should be applied. The 'Search base override' and 'Filter string' may contain placeholders which are replaced with actual values before evaluating the query. A placeholder has the form of ${NAME} where NAME is a name of a request injection value template whose value should be used instead of the placeholder. The resolution must not result in a cycle and a single value result is expected. If resolving a placeholder fails, the query is not evaluated at all (the result is nothing). $${PLACEHOLDER} syntax (doubled $ sign) suppresses the replacement and resolves to ${PLACEHOLDER}. ${SearchBase} resolves to the default search base of the referred data service, unless there is a template with name SearchBase which takes precedence. Note that the query can return multiple entities whose attributes are merged and returned. There are some cases which it can be intended and other when it is not wanted. Here are some examples that assumes the existence of request injection value template DistinguishedName which returns the DN of the authenticated user. This template can be then used in the placeholders.

      Example 1:

    • Search base override: ${DistinguishedName}

    • Search scope: base

    • Attributes to return: uid, secretary The result will be the list of all UIDs of a user, assuming the DN is valid in the source LDAP. This can be achieved for a single attribute with USER_SERVICE abstraction too, but it can’t be done so easily with multiple attributes and it can’t be achieved in a different way if the source is a different LDAP.

      Example 2:

    • Search scope: sub

    • Attributes to return: dn

    • Filter string: (member=${DistinguishedName}) This template can be used to search groups that specify the DN of the user as the member. The result is a list of DNs of such groups. The administrator is responsible for configuring the templates to resolve to single values and returning safe values. A carelessly configured template may leak a sensitive value to outside world. A recommended practice is also to configure the data service access to read-only by means of the underlying database if possible. While it is not dangerous for the default LDAP data service implementation (only the search operation is executed and it is read-only by definition), it might be dangerous for another implementation.

  • Allowed Values:

    • CONSTANT

    • ENVIRONMENT

    • FEDERATION_SERVICE

    • OAUTH_SERVICE

    • USER_SERVICE

    • SSO_SERVICE

    • AUTHORIZATION_SERVICE

    • COMBINED

    • CUSTOM

    • REQUEST

    • DATA_SERVICE

    • ENTITY_SERVICE

Source Abstraction

The source abstraction depending on the selected 'source'.

  • Allowed Values:

    • TIME

    • CONFIGURATION

    • ISSUED_SAML_ASSERTION

    • ACCESS_TOKEN

    • REFRESH_TOKEN

    • REQUESTING_PARTY_TOKEN

    • LDAP_ATTRIBUTE

    • ROLE_ASSIGNMENTS

    • DOMAIN_MEMBERSHIP

    • GROUP_ASSIGNMENTS

    • LOGINNAME

    • FULLY_QUALIFIED_LOGINNAME

    • ACCOUNT_VALIDITY_NOT_ON_OR_AFTER

    • X509_CERTIFICATE

    • KERBEROS_INFO

    • SAML_ASSERTION

    • OAUTH_INFO

    • AUTHENTICATION_INFO

    • CONTEXT_INFO

    • THIRD_PARTY_INFO

    • SSO_INFO

    • XACML_OBLIGATIONS

    • FIRST_EXISTING

    • CONCATENATION

    • RANDOM_UUID

    • SAML_PERSISTENT_NAME_ID

    • SAML_AUTHN_REQUEST

    • RST

    • HTTP_SERLVET_REQUEST

    • SOAP_MESSAGE_CONTEXT

    • JBOSS

    • JAAS

    • APP_REPO_ENTITY

    • CLIENT_DATA

    • DOMAIN_NAME

    • PASSWORD

    • OTP_CALLBACK

    • OTP_RFC4226

    • OTP_RFC6238

Source abstraction detail

The source abstraction detail depending on the selected 'source abstraction'.

  • Allowed Values:

    • TOKEN_ACTIVE

    • TOKEN_SCOPES

    • TOKEN_CLIENT_ID

    • TOKEN_TYPE

    • TOKEN_EXPIRATION_TIME

    • TOKEN_ISSUED_TIME

    • TOKEN_SUBJECT_IDENTIFIER

    • TOKEN_AUDIENCE

    • TOKEN_ISSUER

    • TOKEN_IDENTIFIER

    • PERMISSIONS

    • ISSUER_DN

    • SUBJECT_DN

    • SUBJECT_EMAIL_FROM_DN

    • SUBJECT_EMAIL_FROM_ALTSUBJECTNAME

    • KERBEROS_NAME

    • PRINCIPAL

    • REALM

    • ASSERTION

    • ATTRIBUTE_STATEMENT

    • SUBJECT

    • ISSUER

    • AUTHENTICATING_AUTHORITY

    • ACCESS_TOKEN

    • REFRESH_TOKEN

    • SCOPE

    • VALID_UNTIL

    • EXTERNAL_ATTRIBUTE

    • PARTNERSHIP_ID

    • AUTHENTICATION_ID

    • AUTHENTICATION_TIME

    • AUTHENTICATION_METHODS

    • ASSURANCE_LEVEL

    • AUTHENTICATION_AUTHORITY

    • AUTHENTICATION_DN

    • AUTHENTICATION_CN

    • DOMAIN_NAMES

    • SUBJECT_ID

    • CLIENT_IP_ADDRESS

    • CUSTOM_DATA

    • THIRD_PARTY_DATA

    • OPAQUE_DATA

    • WEB_REQUEST_URI

    • WEB_HEADER

    • WEB_COOKIE

    • WEB_PARAMETER

    • WEB_ATTIBUTE

    • WS_OPERATION

    • WS_PORT

    • WS_REQUEST_URI

    • WS_SERVICE

    • WS_XPATH

    • LAST_LOGIN_DATE

    • ROLES

    • GROUPS

    • USER_DATA_CONSENT

    • NUMBER_OF_LOGIN_FAILURES

    • COMMUNICATION_ADDRESS

Constant value

The constant value in case the CONSTANT is selected in the 'source' property or the delimiter in case the 'COMBINED' is selected in the 'source' and the 'CONCATENATION' is selected in the 'sourceAbstraction'.

Constant value delimiter

If present, this will be used to split the constant into separate values. The individual values will be trimmed of leading and trailing spaces.

LDAP attribute name

The LDAP attribute name in case the USER_SERVICE is selected in the 'source' property and 'LDAP_ATTRIBUTE' is selected in the 'source abstraction' property.

Custom data name

The custom data name value (in the 'ContextPrincipal' the subject) in case the SSO_SERVICE is selected in the 'source' property, 'CONTEXT_INFO' is selected in the 'source abstraction' property and 'CUSTOM_DATA' is selected in the 'source abstraction detail' property.

Third party data name

The third party data name value in case the SSO_SERVICE is selected in the 'source' property., 'THIRD_PARTY_INFO' is selected in the 'source abstraction' property and 'THIRD_PARTY_DATA' is selected in the 'source abstraction detail' property.

Client name

The name of the client of 'OpaqueData' (in the 'OpaqueDataPrincipal' of the subject) in case the SSO_SERVICE is selected in the 'source' property, 'THIRD_PARTY_INFO' is selected in the 'source abstraction' property and 'OPAQUE_DATA' is selected in the 'source abstraction detail' property.

OPAQUE property name

The name of an attribute in 'OpaqueData' (in the 'OpaqueDataPrincipal' of the subject) in case the SSO_SERVICE is selected in the 'source' property, 'THIRD_PARTY_INFO' is selected in the 'source abstraction' property and 'OPAQUE_DATA' is selected in the 'source abstraction detail' property.

SAML attribute name

The SAML attribute name value (from the (inbound) saml:Assertion in the section of saml:AttributeStatement) in case the SSO_SERVICE is selected in the 'source' property, 'SAML_ASSERTION' is selected in the 'source abstraction' and 'ATTRIBUTE_STATEMENT' is selected in the 'source abstraction detail' property.

SAML attribute name format

The SAML attribute name format value (from the (inbound) saml:Assertion in the section of saml:AttributeStatement) in case the SSO_SERVICE is selected in the 'source' property, 'SAML_ASSERTION' is selected in the 'source abstraction' and 'ATTRIBUTE_STATEMENT' is selected in the 'source abstraction detail' property.

OAUTH attribute name

The OAuth attribute name (of an attribute from the (inbound) OAuth user profile) in case the SSO_SERVICE is selected in the 'source' property, 'OAUTH_INFO' is selected in the 'source abstraction' and 'EXTERNAL_ATTRIBUTE' is selected in the 'source abstraction detail' property.

Configuration property name

The configuration property name of the PEP in case the ENVIRONMENT is selected in the 'source' property and 'CONFIGURATION' is selected in the 'source abstraction' property.

PEP identifier

The identifier of the PEP in case the ENVIRONMENT is selected in the 'source' property and 'CONFIGURATION' is selected in the 'source abstraction' property.

SAML assertion construction template identifier

The identifier of the SAML assertion construction template object in case the FEDERATION_SERVICE is selected in the 'source' property and 'ISSUED_SAML_ASSERTION' is selected in the 'source abstraction' property.

XACML PDP identifier

The identifier of the PDP (for 'XacmlAttributeValueBuilderPdp') in case the AUTHORIZATION_SERVICE is selected in the 'source' property and 'XACML_OBLIGATIONS' is selected in the 'source abstraction' property.

XACML request construction identifier

The identifier of the XACML request construction template (for 'XacmlAttributeValueBuilderPdp') in case the AUTHORIZATION_SERVICE is selected in the 'source' property and 'XACML_OBLIGATIONS' is selected in the 'source abstraction' property.

XACML obligation attribute identifier

The identifier of the XACML obligation attribute (for 'XacmlAttributeValueBuilderPdp') in case the AUTHORIZATION_SERVICE is selected in the 'source' property and 'XACML_OBLIGATIONS' is selected in the 'source abstraction' property.

XACML obligation attribute data type

XACML obligation attribute data type (for 'XacmlAttributeValueBuilderPdp') in case the AUTHORIZATION_SERVICE is selected in the 'source' property and 'XACML_OBLIGATIONS' is selected in the 'source abstraction' property.

Data service identifier

The identifier of the data service in case the DATA_SERVICE is selected in the 'source' property.

Data service query

The data service query for the data service in case the DATA_SERVICE is selected in the 'source' property.

Role assignments imprint domain

The decision whether or not to imprint domain into role assignments in case the USER_SERVICE is selected in the 'source' property and 'ROLE_ASSIGNMENTS' is selected in the 'source abstraction' property.

Client data JSON Path

A string containing simple JSON Path (according to RFC#9535) the application of which on the ENTITY_SERVICE -> CLIENT_DATA produces the value.

Requester Authorization

The decision whether or not to apply the internal authorization on the requester data retrieval. Usable if ENTITY_SERVICE is selected as a 'source'.

Source abstraction object identifier

The identifier of a desired object from DirX Access User tree usable only with ENTITY_SERVICE source. Can be left empty in which case every entry of type specified in 'source abstraction' will be retrieved.

XACML attribute category

The category of an attribute child element in an XACML request or policy ('Subject', 'Resource', 'Action', 'Environment' or any custom-defined category).

Implementation class name

The fully-qualified name of the implementing class (from the DirX Access base bundle).

  • Allowed Values:

    • XACML_ATTRIBUTE_VALUE_BUILDER_IP_ADDRESS

    • XACML_ATTRIBUTE_VALUE_BUILDER_OPAQUE_DATA

    • XACML_ATTRIBUTE_VALUE_BUILDER_SAML_ATTRIBUTES

    • XACML_ATTRIBUTE_VALUE_BUILDER_SAML_X_PATH

    • XACML_ATTRIBUTE_VALUE_BUILDER_OAUTH_ATTRIBUTES

    • XACML_ATTRIBUTE_VALUE_BUILDER_OAUTH_SCOPE

    • XACML_ATTRIBUTE_VALUE_BUILDER_PDP

    • XACML_ATTRIBUTE_VALUE_BUILDER_CUSTOM_DATA

    • XACML_ATTRIBUTE_VALUE_BUILDER_TREE_CUSTOM_DATA

    • XACML_ATTRIBUTE_VALUE_BUILDER_ROLE_ASSIGNMENTS

    • XACML_ATTRIBUTE_VALUE_BUILDER_GROUP_ASSIGNMENTS

    • XACML_ATTRIBUTE_VALUE_BUILDER_THIRD_PARTY_DATA

    • XACML_ATTRIBUTE_VALUE_BUILDER_USER_IDS

    • XACML_ATTRIBUTE_VALUE_BUILDER_ASSURANCE_LEVEL

    • XACML_ATTRIBUTE_VALUE_BUILDER_AUTHN_METHODS

    • XACML_ATTRIBUTE_VALUE_BUILDER_AUTHN_TIME

    • XACML_ATTRIBUTE_VALUE_BUILDER_X509

    • XACML_ATTRIBUTE_VALUE_BUILDER_DATA_SERVICE

    • XACML_ATTRIBUTE_VALUE_BUILDER_DAY_OF_WEEK

    • CONSTANT_XACML_ATTRIBUTE_VALUE_BUILDER

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_ACTION

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_APP_REPO_RESOURCE_ID

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_APP_REPO_RESOURCE_PARENT

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_REQUEST_ACTION

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_RESOURCE_OWNER

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_RESOURCE_URI

    • DXA_XACML_ATTRIBUTE_VALUE_BUILDER_WEB_PEP_PARAM

    • WEB_XACML_ATTRIBUTE_VALUE_BUILDER_ACTION

    • WEB_XACML_ATTRIBUTE_VALUE_BUILDER_REQUEST_ACTION

    • WEB_XACML_ATTRIBUTE_VALUE_BUILDER_RESOURCE_URI

    • WEB_XACML_ATTRIBUTE_VALUE_BUILDER_WEB_PEP_PARAM

    • WS_XACML_ATTRIBUTE_VALUE_BUILDER_OPERATION

    • WS_XACML_ATTRIBUTE_VALUE_BUILDER_PORT

    • WS_XACML_ATTRIBUTE_VALUE_BUILDER_QNAME_BASE

    • WS_XACML_ATTRIBUTE_VALUE_BUILDER_REQUEST_URI

    • WS_XACML_ATTRIBUTE_VALUE_BUILDER_SERVICE

    • WS_XACML_ATTRIBUTE_VALUE_BUILDER_X_PATH

Parameters

The parameters of the implementation class. When Implementation class = com.siemens.dxa.services.authz.impl.xacml.pdp.finder.attribute.subject.builder.persistence.XacmlAttributeValueBuilderCustomData:

  • "LDAP attribute name" field: identifies an LDAP attribute. When Implementation class = com.siemens.dxa.services.authz.impl.xacml.pdp.finder.attribute.subject.builder.federation.inbound.XacmlAttributeValueBuilderOAuthAttributes:

  • "OAuth attribute name" field: identifies an OAuth user profile attribute. When Implementation class = com.siemens.dxa.services.authz.impl.xacml.pdp.finder.attribute.subject.builder.federation.inbound.XacmlAttributeValueBuilderSamlAttributes:

  • "SAML attribute name" field: identifies a SAML attribute

  • "SAML attribute name format" field: identifies the name format of a SAML attribute

  • "Attribute mapping" field: identifies attribute mappings (for example, mappings of role assignments between federated domains). When Implementation class = com.siemens.dxa.services.authz.impl.xacml.pdp.finder.attribute.subject.builder.federation.inbound.XacmlAttributeValueBuilderSamlXPath:

  • "XPath expression" field: XPath name/value tuples. When Implementation class = com.siemens.dxa.services.authz.impl.xacml.pdp.finder.attribute.subject.builder.persistence.XacmlAttributeValueBuilderThirdPartyData:

  • "Third party data name" field: identifies a third party attribute.

JAAS permission names

The jaas:Permission names. When Implementation class = com.siemens.dxa.common.authz.builder.value.dxa.DXAXacmlAttributeValueBuilderAction:

  • "JAAS permission names" field: identifies a JAAS permission name attribute. When Implementation class = com.siemens.dxa.common.authz.builder.value.dxa.DXAXacmlAttributeValueBuilderResourceUri:

  • "JAAS permission names" field: identifies a JAAS permission name attribute. When Implementation class = com.siemens.dxa.common.authz.builder.value.dxa.DXAXacmlAttributeValueBuilderWebPepParam:

  • "Parameter name" field: identifies a parameter name attribute

  • "JAAS permission names" field: identifies a JAAS permission name attribute. When Implementation class = com.siemens.dxa.common.authz.builder.value.jaas.JaasXacmlAttributeValueBuilderContextId:

  • "JAAS permission names" field: identifies a JAAS permission name attribute. When Implementation class = com.siemens.dxa.common.authz.builder.value.web.WebXacmlAttributeValueBuilderWebPepParam: "Parameter name" field: identifies a parameter name attribute.

XACML attribute value mapping identifiers

The identifiers of associated 'XacmlAttributeValueMappings'.

Attribute value template identifiers

The identifiers of combined attribute value templates in case the 'COMBINED' is selected in the 'source' property.