PingAuthorize

Requests

The XACML-JSON PDP API first converts the XACML-JSON request to a batch decision request for the policy decision point to be consumed by the Policy Decision Service. Policies can match a decision request by Service, Domain, Action, or other attributes.

The following example XACML-JSON request body illustrates the conversion to a batch decision request. For an example with more than one decision request, see Example.

{
  "Request": {
    "MultiRequests": {
      "RequestReference": [{
        "ReferenceId": [
          "dom",
          "act",
          "srv",
          "idp",
          "att"
        ]
      }]
    },
    "AccessSubject": [{
      "Id": "dom",
      "Attribute": [{
        "AttributeId": "domain",
        "Value": "Sales.Asia Pacific"
      }]
    }],
    "Action": [{
      "Id": "act",
      "Attribute": [{
        "AttributeId": "action",
        "Value": "Retrieve"
      }]
    }],
    "Resource": [{
      "Id": "srv",
      "Attribute": [{
        "AttributeId": "service",
        "Value": "Mobile.Landing page"
      }]
    }],
    "Environment": [{
      "Id": "idp",
      "Attribute": [{
        "AttributeId": "symphonic-idp",
        "Value": "Social networks.Spacebook"
      }]
    }],
    "Category": [{
      "Id": "att",
      "Attribute": [{
        "AttributeId": "attribute:Prospect name",
        "Value": "B. Vo"
      }]
    }]
  }
}

The previous example shows a single decision request with the following attributes:

  • A domain of Sales.Asia Pacific

  • An action of Retrieve

  • A service of Mobile.Landing page

  • An identity provider of Social networks.Spacebook

  • A single attribute named Prospect name, with a value of B. Vo

The following table shows how these values map from the Trust Framework entities to the XACML-JSON request.

Parent (JSON Path) Field (JSON Path) PingAuthorize Trust Framework type Example value

$.Request

$.AccessSubject[*].Attribute[?(@.AttributeId == "domain")].Value

Domain

Sales.Asia Pacific

$.Action[*].Attribute[?(@.AttributeId == "action")].Value

Action

Retrieve

$.Resource[*].Attribute[?(@.AttributeId == "service")].Value

Service

Mobile.​Landing page

$.Environment[*].Attribute[?(@.AttributeId == "symphonic-idp")].Value

Identity Provider

Social Networks.​Spacebook

$.Category[*].Attribute[?(@.AttributeId == "attribute:Prospect name")].Value

Other Attribute (Prospect name in this case)

B. Vo

To illustrate how you can match rules against the Prospect name Trust Framework attribute, the following image shows how Prospect name is defined in the Policy Editor. In this example, the Prospect name attribute has a Request resolver and a Value Settings Type of String.

Screen capture of the Attributes tab of the Trust Framework window in the Policy Editor. The Prospect name attribute is displayed configured as specified.

The Trust Framework attribute name must be a case-sensitive match with the decision request AttributeId after the attribute: prefix is removed.