Wednesday, April 20, 2016

Policy Request and Response

A customer of mine has an issue with Policy Evaluation, so I was asked to help him debug.

We know OpenAM Web Policy Agent is PEP (Policy Enforcement Point), while OpenAM Server is PDP (Policy Decision Point). So, an web agent will send a Policy Request to OpenAM server and OpenAM server will send back a Policy Response, all in XML format.

The logs are captured in Policy debug log.

If the policy evaluation returns success, then "allow" will be returned as part of ActionDecision.

This maps well with what is configured in OpenAM Administration Console.

However, do take note that when policy evaluation returns failure, then "deny" is not returned as part of ActionDecision.

Customer thought something was wrong with OpenAM policy evaluation engine because he was expecting DENY to be returned from OpenAM server.