I am working with WSO2 Identity Server 7.0.0 and have published a policy as PDP. When I call the endpoint ( ...api/identity/entitlement/decision/pdp ) using Postman, I receive a 'UserNotFound' error even though the user exists. Here are the details:
Policy:
Postman Request:
<Request xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17" ReturnPolicyIdList="false" CombinedDecision="false">
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:resource-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">/admin</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">read</AttributeValue>
</Attribute>
</Attributes>
<Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
<Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:subject:subject-id" IncludeInResult="false">
<AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">Internal/AdminRole</AttributeValue>
</Attribute>
</Attributes>
</Request>
Error:
<Response xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
<Result>
<Decision>Indeterminate</Decision>
<Status>
<StatusCode Value="urn:oasis:names:tc:xacml:1.0:status:processing-error"/>
<StatusMessage>UserNotFound: User Internal/AdminRole does not exist in: PRIMARY</StatusMessage>
</Status>
</Result>
</Response>
Did I miss something in my configuration, or is this a bug in WSO2 Identity Server 7.0.0?
As per the error message, it says that a user called Internal/AdminRole
is not found (Not that the user with the said role does not exist). Hence, it seems like with this request, the server is trying to find a user with the user ID/ username Internal/AdminRole
.
Furthermore, I have noticed that in your defined policy, the Internal/AdminRole
attribute value is defined under the attribute ID http://wso2.org/claims/role
but in your request body, the Internal/AdminRole
attribute value is under a different attribute ID (urn:oasis:---:subject-id
). This might be causing the issue.