• Home
• OAuth2

Definition of the authorization policy xml file

This xml file define what kind of user can access to the resources.

The main structure looks like this one:

<AssertionList>
  <Assertion ...>   
                .
                .
                .     
  </Assertion>        
</AssertionList>

Where,

• AssertionList: this element defines the list of assertion types.
• Assertion: this element defines the policies for an specific assertion.

Defining an Assertion Policy

The next example shows how can be defined an authorization policy for an specific assertion.

SAML2 Assertion example

<Assertion type="saml2">
    <Policies>
        <Policy>
            <Attributes check="all" >
               <Attribute name="def:eduPersonScopedAffiliation" value="staff@rediris.es" />
            </Attributes>
        </Policy>       
    </Policies>
</Assertion>

PAPI Assertion example

<Assertion type="saml2">
    <Policies scope="http://oauth-server/photos/">    
            <TokenFormat>
				<format>%sHO%</format>
				<format>%scope%</format>
			</TokenFormat>
    <Policies>
        <Policy>
            <Attributes check="all" >
               <Attribute name="ePA" value="staff" />                 
            </Attributes>
        </Policy>
        <Policy>
            <Attributes check="any" >
               <Attribute name="sHO" value="rediris.es" />
               <Attribute name="sHO" value="fecyt.es" />
            </Attributes>
        </Policy>
    </Policies>
</Assertion>

Where,

• Each element <Policies> refers to an specified scope.
• Inside the element <Policies>, you can include:
  • One element <Policy> per policy that you may need.
  • Definition of the token format with the element <TokenFormtat>.It describe wich attribute should be required in the assertion and that will be included in the OAuth access token, to be used by the resource server. This element has the following structure:

                <TokenFormat>
    				<format>%sHO%</format>
    				<format>%scope%</format>
    			</TokenFormat>
    			

    Each element <formtat>must have one attribute name between "%" characters, for example: %sHO%, %sPUC%, %ePTI%, %mail%, %uid%, %scope%, etc.
• The element <Attributes> inside a <Policy> defines how the user's attributes should be checked. This is specified in its attribute check, where allowed values are:
  • all: it says that all the rules have to be satisfied.
  • any: it says that one or more rules have to be satisfied.
  • none: it says that none of all rules has to be satisfied.
• The element <Attribute> inside the one <Attributes> defines a rule over the user's attributes, where name is the name of the attribute and value is its value.