This documentation is for WSO2 Identity Server 5.4.0. View documentation for the latest release.
Enabling REST Notifications For XACML Policy Updates - Identity Server 5.4.0 - WSO2 Documentation
||
Skip to end of metadata
Go to start of metadata

This topic provides instructions on how to enable notifications for XACML policy changes.

  1. Register EntitlementNotificationListener in order to get notifications on XACML policy changes. To do this, add the following entries to the <PRODUCT_HOME>/repository/conf/identity/entitlement.properties file.

    Note: If you already have a PAP.Status.Data.Handler.2 configured, then you must add this extension as PAP.Status.Data.Handler.3.

    PAP.Status.Data.Handler.2=org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=pdpNotificationAction,ENABLE;DISABLE;UPDATE;DELETE
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.2=papNotification,true
    org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.3=pdpNotification,true
  2. Configure the <PRODUCT_HOME>/repository/conf/identity/msg-mgt.properties file with your desired destination configurations and template configurations. The following is a sample configuration for sending JSON content to an endpoint when there is a XACML policy change.

    module.name.1=json
    json.subscription.1=policyUpdate
    json.subscription.policyUpdate.jsonContentTemplate=/media/user/notification/templates/entitlement
    json.subscription.policyUpdate.endpoint.1=pepEndpoint1
    json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https://localhost:9443/restEndpoint
    json.subscription.policyUpdate.endpoint.pepEndpoint1.AuthenticationRequired=true
    json.subscription.policyUpdate.endpoint.pepEndpoint1.username=admin
    json.subscription.policyUpdate.endpoint.pepEndpoint1.password=admin
    json.subscription.policyUpdate.jsonId=3232
    
    json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https\://localhost\:9443/wso2/scim/Users

    The following table lists out the properties and their description (click on the table to scroll through the description).

    PropertyDescription
    module.name.1=jsonBy defining this property we register the JSON sending module in the Notification-Mgt framework, so that the JSON sending module acts as a listener.
    json.subscription.1=policyUpdate

    The first subscription by the email module is 'policyUpdate'. So when a policy change happens (update, create or delete) an event is triggered from the system. Using this configuration, the JSON module is made to subscribe for that particular event and send a REST call on events.

    This subscription is defined as policyUpdate (this value must be used since this is the name of the event that is published by the publishing party) and from this point onwards you must use email.subscription.policyUpdate as the prefix for properties relevant to this subscription.

    json.subscription.policyUpdate.jsonContentTemplate=/media/user/notification/templates/entitlement

    This is the template for the REST call. You can configure your template such that it has placeholders. These placeholders are replaced with dynamic values that come from the event or you can define values for these placeholders through your configurations.

    The following is a sample REST message with place holders.

    {"TargetID":"(targetId)","Username":"(username)", "Target":"(target)","Action":"(action)"}

    Note: The dynamic data that comes to the policyUpdate event can be of the following types.

    - operation: The type of user operation that took place
    - targetId
    - username
    - target
    - action

    json.subscription.policyUpdate.endpoint.1=pepEndpoint1This is the first endpoint definition for the policyUpdate event subscription. From this point onwards, you are defining properties that are relevant to this endpoint. You can define the name of the first endpoint as pepEndpoint1 (provide any name). From this point onwards you must use email.subscription.userOperation.endpoint.pepEndpoint1 as the prefix for properties relevant to this endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https://localhost:9443/restEndpointThis is an endpoint configuration that is used to define the address to which the content will be posted.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.AuthenticationRequired=trueThis is an optional property that you can use to authenticate to the rest endpoint you are calling using basic auth. If you set this property to true, it is essential to have the username and password defined for your endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.username=adminThe username to access the endpoint.
    json.subscription.policyUpdate.endpoint.pepEndpoint1.password=adminThe password required to access the endpoint.
    json.subscription.policyUpdate.jsonId=3232
     
    json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https\://localhost\:9443/wso2/scim/Users
    This is an endpoint configuration that is used to define the address to which the content will be posted.
  • No labels