Configuring scopes for Authorization Policy rules

Owned by John Jellema
2021-12-17

Scopes in Authorization Policy rules define which scopes must be present in the inbound Authentication Request for the rule to be evaluated. Authorization Policy scopes are only supported with OAuth2 type applications. Therefore for other types of applications Authorization Policy rules with scopes will not be evaluated.

Creating a new Authorization Policy rule

To create a new Policy Item with scope name to an existing Authorization Policy DemoPolicy in site demo:

Create policyItem request
PUT /sso-api/policyItem/demo/DemoPolicy/item1 HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Content-Type: application/x-www-form-urlencoded
Accept: application/json

nameValue=scope name&attributeName=name&attributeValue=${user.cn}&group=group/demo/DemoUsers

A successful create Policy Item request would receive the following response:

Successful create policyItem response
HTTP/1.1 200 OK
Content-Type: application/json

{
    "type": "policyItem",
    "id": "/policyItem/demo/DemoPolicy/item1",
    "attributes": {
        "name": "item1",
        "attributeName": "name",
        "attributeValue": "${user.cn}",
        "nameValue": [
            "scope name"
        ]
    }
}

If the policy demo/DemoPolicy, group demo/DemoUsers or the site demo don't exist, a response HTTP/1.1 400 Bad Request is returned instead.

Note that the X in nameValue=scope X represents a single scope value, so it mustn't contain any illegal characters for scope, such as a space. If you want to define more than one scope for an authorization policy item, you must add them with separate nameValue attributes


To create a new Policy Item with scopes name and profile to an existing Authorization Policy DemoPolicy in site demo:

Create policyItem request
PUT /sso-api/policyItem/demo/DemoPolicy/item1 HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Content-Type: application/x-www-form-urlencoded
Accept: application/json

nameValue=scope name&nameValue=scope profile&attributeName=name&attributeValue=${user.cn}&group=group/demo/DemoUsers

Updating an existing Authorization Policy rule

To update an already existing Policy Item the request is otherwise similar to create request, but extra parameters can be omitted. To replace all the scopes with the given scope:

Update policyItem request
PUT /sso-api/policyItem/demo/DemoPolicy/item1 HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Content-Type: application/x-www-form-urlencoded
Accept: application/json

nameValue=scope name

A successful update Policy Item request would receive a response similar to the one received from the create request:

Successful update policyItem response
HTTP/1.1 200 OK
Content-Type: application/json

{
    "type": "policyItem",
    "id": "/policyItem/demo/DemoPolicy/item1",
    "attributes": {
        "name": "item1",
        "attributeName": "name",
        "attributeValue": "${user.cn}",
        "nameValue": [
            "scope name"
        ]
    }
}

If the policyItem demo/DemoPolicy/item1, the policy demo/DemoPolicy or the site demo don't exist, a response HTTP/1.1 400 Bad Request is returned instead.

Useful requests for checking existing Authorization Policies and Authorization Policy rules

Get an Authorization Policy

To check if an Authorization Policy exists, send a request to get an Authorization Policy.

Get authorization policy request
GET /sso-api/policy/demo/DemoPolicy HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Accept: application/json

Successful response for request to get an Authorization Policy:

Get authorization policy response
HTTP/1.1 200 OK
Content-Type: application/json

{
    "type": "policy",
    "id": "/policy/demo/DemoPolicy",
    "attributes": {
        "name": "DemoPolicy"
    }
}

Get all Policy Items of an Authorization Policy

To check which Policy Items have been created to an Authorization Policy.

Get all policyItems of an authorization policy request
GET /sso-api/policy/demo/DemoPolicy/$link/policyItem HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Accept: application/json

Successful response for request to get all policyItems of an Authorization Policy:

Get all policyItems of an authorization policy response
HTTP/1.1 200 OK
Content-Type: application/json

{
    "type": "policy",
    "id": "/policy/demo/DemoPolicy",
    "objects": [
        {
            "type": "policyItem",
            "id": "/policyItem/demo/DemoPolicy/item1",
            "link": "policyItem"
        }
    ]
}

Get Policy Item details

To view the Policy Item details by using the "id" value from above in the URL.

Get policyItem details
GET /sso-api/policyItem/demo/DemoPolicy/item1 HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Accept: application/json

Successful response for request to get Policy Item details is the same as for the last update:

Get all policyItems of an authorization policy response
HTTP/1.1 200 OK
Content-Type: application/json

{
    "type": "policyItem",
    "id": "/policyItem/demo/DemoPolicy/item1",
    "attributes": {
        "name": "item1",
        "attributeName": "name",
        "attributeValue": "${user.cn}",
        "nameValue": [
            "scope name"
        ]
    }
}

Get the group of an Authorization Policy Item

To check the group of an Authorization Policy Item.

Get the group of an policy item request
GET /sso-api/policyItem/demo/DemoPolicy/item1/$link/group HTTP/1.1
Host: sso.example.com:8443
Authorization: Bearer [access_token]
Accept: application/json

Successful response for request to get the group of an Authorization Policy Item:

Get the group of an policy item response
HTTP/1.1 200 OK
Content-Type: application/json

{
    "type": "policyItem",
    "id": "/policyItem/demo/DemoPolicy/item1",
    "objects": [
        {
            "type": "group",
            "id": "/group/demo/DemoUsers",
            "link": "group"
        }
    ]
}

Ubisecure Privacy Policy & Cookie Statement