Authorize Like a Pro with Axiomatics + UMA – Guest Blog Post from Gluu

Today’s blog post is a post from one of our partners, Gluu. The feature writer is Mike Schwartz. He has been an entrepreneur and identity specialist for more than two decades. He is the technical and business visionary behind Gluu. Mike is an application security expert and has been a featured speaker at RSA Conference, Gartner Catalyst, Cloud Identity Summity (now “Identiverse”) and many other security conferences around the world.


Gluu is not really a great place to store policies. While you can express policies in Gluu Server RPT interception scripts, if you have more then a few policies, this approach does not scale. For a long time, we’ve recommended using a product that makes it easier to manage your policies. Axiomatics is one of the leaders in this field. This blog is an overview of a demo we did for the European Identity Conference. We will describe how we protected an API with the Gluu Gateway, and delegated policy evaluation to the Axiomatics Policy Server.


  • Axiomatics Policy server:
    Returns authorization decisions based on attribute and contextual policies
  • Gluu ServerCommunity Edition 3.1.6 Acts as the UMA Authorization Server
  • Gluu Gateway 2.0: Acts as the policy enforcement point–requiring the presence of certain UMA scopes to grant access to an API
  • oxd UMA Client and Resource Server middleware API’s–installed as a dependency of Gluu Gateway


  1. Configure service and route The first step is to configure the service and route in Kong, which controls the basic proxying behavior to the upstream API. This can be done using the Gluu Gateway Admin UI. For more details, see the Gluu Gateway docs on adding routes.
  2. Configure plugins The second step is to configure the Kong plugins. More details see the Gluu Gateway docs on adding a plugin.
    Basically, you need to configure the API gateway to require the presence of an UMA RPT token with a certain scope before it proxies to a certain API. For this, Kong uses the gluu-uma-auth and gluu-uma-pep plugins. See the plugin docs for more details.
  3. Protect Resources In the Gluu Gateway admin Web UI, you can specify which URI patterns are protected. In our example, we used /users/?? GET POST PUT DELETE which is protected by the with-claimsUMA scope. GG 2.0 supports wild card characters. The ?? tells GG to protect all the resources which are in the /users folder (path). See the Gluu Gateway docs on resource wildcards for more details.
  4. Configure UMA Scope in Gluu Server The Gluu Server needs to know about this scope. In our example, you’ll can add the scope with-claims using the Gluu Server Admin Console (i.e. oxTrust) and then associate it with the uma_rpt_policy policy.
  5. Call XACML PDP from Script
    Update the script for uma_rpt_policy to call the Axiomatic policy endpoint. Below is the sample code to call the Axiomatic Policy API in the authorize function of uma_rpt_policy policy. Note we send the Request, Resource, Action and Environment to the PDP for a policy decision.

    def authorize(self, context):
     country = context.getClaim("country")
     city = context.getClaim("city")
     parameters = """{
      "Request": {"AccessSubject": {"Attribute": [{"AttributeId": "country","Value": "%s"}, {"AttributeId": "city","Value": "%s"}]},
      "Resource": {"Attribute": [{"AttributeId": "document_id","Value": "companypolicy"}]},
      "Action": {"Attribute": [{"AttributeId": "idaction","Value": "view"}]},
      "Environment": {"Attribute": [{"AttributeId": "isAllowed","Value": true }]}}
      }""" % (country, city)
         creds = bytearray("client_id:secret",'utf-8')
         encodedCreds = Base64.getEncoder().encodeToString(creds);
         basicAuth = "Basic "+ encodedCreds
         url = URL("http://localhost:4080/authorize")
         conn = url.openConnection()
         conn.setRequestProperty("Content-type", "application/xacml+json")
         conn.setRequestProperty ("Authorization", basicAuth)
         conn.getOutputStream().write(bytearray(parameters, 'utf-8'))
        if conn.getResponseCode() != 200: 
                print "Failed!!"
                print conn.getResponseCode()
                print conn.getResponseMessage()
                print "Success!!"
                print conn.getResponseCode()
                print conn.getResponseMessage()
            instr = conn.getInputStream()
            instrreader = InputStreamReader(instr)
            breader = BufferedReader(instrreader)
            output = breader.readLine()
            jsonResult = ""
            while output != None:
                if output != None:
                    jsonResult += output
                output = breader.readLine()
            print jsonResult
            jobj1 = JSONObject(jsonResult)
            jarr1 = jobj1.get("Response")
            jobj2 = jarr1.get(0)
            decision = jobj2.get("Decision")
            print decision
            if decision == "Permit": 
                print "Axiomatics  Authorization successful..."
                return True
        print "Axiomatics  Authorization failed..."    
        return False


    Now the web page or API is protected, and requests will only be allowed to users from a certain city and country as defined by policies in Axiomatics! How to define policies in Axiomatics is out of scope for this disucssion, but see their website and documentation for more info.

    This blog post originally appeared on the Gluu website.

Guest Author: Mike Schwartz from Gluu

Related Articles

Meeting today’s dynamic authorization and access challenges: The Axiomatics story | Dynamically Speaking
Dynamically Speaking
For more than 15 years, Axiomatics has worked with companies worldwide to define and deliver solutions to the most complex authorization and access challenge. In...
Getting started with Zero Trust using dynamic authorization | Dynamically Speaking
Dynamically Speaking
Zero Trust. It’s everywhere. It’s a methodology that’s been around for years, and we are now seeing a significant uptick in the number of enterprises...
The case for dynamic authorization in banking and finance
Attribute Based Access Control (ABAC)
More than other organizations, banks, and financial institutions face the highest levels of scrutiny when it comes to how they protect critical assets and sensitive...