Search code examples
postmanwso2wso2-identity-serverxacml

UserNotFound Error for Existing Role in WSO2 IS 7.0.0 XACML Policy

I am working with WSO2 Identity Server 7.0.0 and have published a policy as PDP. When I call the endpoint ( ...api/identity/entitlement/decision/pdp ) using Postman, I receive a 'UserNotFound' error even though the user exists. Here are the details:

Policy:

Policy WSO2-IS

Postman Request:

  • Endpoint: https://:9444/api/identity/entitlement/decision/pdp
  • Authorization: Basic Auth (admin/admin)
  • Headers: Content-Type: application/xml
  • Body (Raw XML):
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/admin</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
        </Attribute>
    </Attributes>
    <Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
        <Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
            <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/AdminRole</AttributeValue>
        </Attribute>
    </Attributes>
</Request>

Error:

<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
    <Result>
        <Decision>Indeterminate</Decision>
        <Status>
            <StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
            <StatusMessage>UserNotFound: User Internal/AdminRole does not exist in: PRIMARY</StatusMessage>
        </Status>
    </Result>
</Response>

Did I miss something in my configuration, or is this a bug in WSO2 Identity Server 7.0.0?

Solution

  • As per the error message, it says that a user called Internal/AdminRole is not found (Not that the user with the said role does not exist). Hence, it seems like with this request, the server is trying to find a user with the user ID/ username Internal/AdminRole.

    Furthermore, I have noticed that in your defined policy, the Internal/AdminRole attribute value is defined under the attribute ID http://wso2.org/claims/role but in your request body, the Internal/AdminRole attribute value is under a different attribute ID (urn:oasis:---:subject-id). This might be causing the issue.