Enabling REST Notifications For XACML Policy Updates¶
This topic provides instructions on how to enable notifications for XACML policy changes.
-
Register
EntitlementNotificationListener
in order to get notifications on XACML policy changes. To do this, add the following entries to the<PRODUCT_HOME>/repository/conf/identity/entitlement.properties
file.Note
Note : If you already have a
PAP.Status.Data.Handler.2
configured, then you must add this extension asPAP.Status.Data.Handler.3
.PAP.Status.Data.Handler.2=org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.1=pdpNotificationAction,ENABLE;DISABLE;UPDATE;DELETE org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.2=papNotification,true org.wso2.carbon.identity.entitlement.EntitlementNotificationExtension.3=pdpNotification,true
-
Configure the
<PRODUCT_HOME>/repository/conf/identity/msg-mgt.properties
file with your desired destination configurations and template configurations. The following is a sample configuration for sending JSON content to an endpoint when there is a XACML policy change.module.name.1=json json.subscription.1=policyUpdate json.subscription.policyUpdate.jsonContentTemplate=/media/user/notification/templates/entitlement json.subscription.policyUpdate.endpoint.1=pepEndpoint1 json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https://localhost:9443/restEndpoint json.subscription.policyUpdate.endpoint.pepEndpoint1.AuthenticationRequired=true json.subscription.policyUpdate.endpoint.pepEndpoint1.username=admin json.subscription.policyUpdate.endpoint.pepEndpoint1.password=admin json.subscription.policyUpdate.jsonId=3232 json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https\://localhost\:9443/wso2/scim/Users
The following table lists out the properties and their description (click on the table to scroll through the description).
Property Description module.name.1=json
By defining this property we register the JSON sending module in the Notification-Mgt framework, so that the JSON sending module acts as a listener. json.subscription.1=policyUpdate
The first subscription by the email module is '
policyUpdate
'. So when a policy change happens (update, create or delete) an event is triggered from the system. Using this configuration, the JSON module is made to subscribe for that particular event and send a REST call on events.This subscription is defined as
policyUpdate
(this value must be used since this is the name of the event that is published by the publishing party) and from this point onwards you must useemail.subscription.policyUpdate
as the prefix for properties relevant to this subscription.json.subscription.policyUpdate.jsonContentTemplate=/media/user/notification/templates/entitlement
This is the template for the REST call. You can configure your template such that it has placeholders. These placeholders are replaced with dynamic values that come from the event or you can define values for these placeholders through your configurations.
The following is a sample REST message with place holders.
{"TargetID":"(targetId)","Username":"(username)", "Target":"(target)","Action":"(action)"}
Note
The dynamic data that comes to the
policyUpdate
event can be of the following types.- operation
- targetId
- username
- target
- actionjson.subscription.policyUpdate.endpoint.1=pepEndpoint1
This is the first endpoint definition for the policyUpdate
event subscription. From this point onwards, you are defining properties that are relevant to this endpoint. You can define the name of the first endpoint aspepEndpoint1
(provide any name). From this point onwards you must useemail.subscription.userOperation.endpoint.pepEndpoint1
as the prefix for properties relevant to this endpoint.json.subscription.policyUpdate.endpoint.pepEndpoint1.address= https://localhost:9443/restEndpoint
This is an endpoint configuration that is used to define the address to which the content will be posted. json.subscription.policyUpdate.endpoint.pepEndpoint1.AuthenticationRequired=true
This is an optional property that you can use to authenticate to the rest endpoint you are calling using basic auth. If you set this property to true
, it is essential to have the username and password defined for your endpoint.json.subscription.policyUpdate.endpoint.pepEndpoint1.username=admin
The username to access the endpoint. json.subscription.policyUpdate.endpoint.pepEndpoint1.password=admin
The password required to access the endpoint. json.subscription.policyUpdate.jsonId=3232
json.subscription.policyUpdate.endpoint.pepEndpoint1.address=https://localhost:9443/wso2/scim/Users
This is an endpoint configuration that is used to define the address to which the content will be posted.