1 - Goal
This use case test verifies that:
- the ADR Consumer can request access to resources, and provide access accordingly to the response of the ADR Provider.
- the ADR Provider can contact the PPQ Policy Repository of its community in order to access and interpret its policies.
2 - Prerequisite
The Policy Repository of the community must contain policies to be queried.
The ADR profiles needs TLS for the
communication. However, to record the transaction with the Gazelle proxy, you
shall disable the TLS communication. If you cannot disable the TLS communication,
you shall save the transaction to your log.
The ADR request must also be grouped with provide a valid XUA assertion.
3 - Description
In this test scenario the test participants
shall:
- The ADR Consumer sends an ADR
Authorization Access Request (XAMLAuthzDecisionQueryRequest) grouped with an
approved XUA assertion to the ADR Provider.
- The ADR Provider accesses the PPQ
Policy Repository, retrieves the authorization decision, interprets the policy
and sends a response to the ADR Consumer according the stored policies.
- According to the response of the ADR provider, the ADR consumer shall or shall not obtain access to the requested ressources.
In its request, the ADR consumer shall precise the following information:
- Assertion (XUA)
- subject-id
- subject-id-qualifier
- homeCommunityId
- organization-id
- resource-id
- epr-spid : @root @extension
- referenced-policy-set
- action-id
4 - Evidences
Test
participants shall provide the logs of the following messages exchanged during the test:
- ADR Authorization Access Request
from the ADR Consumer to ADR Provider
- The retrieved decision of the PPQ Policy
Repository by the ADR Provider
- The response of the ADR
Provider to the ADR Consumer
5 - Evaluation
Ideally, the Projectathon monitor can observe all queries and evaluate response.
Additionally, the gazelle proxy offers the opportunity to examine messages in the exchanges between Consumer and Provider.
Additionaly, we expect that all the messages exchanged to be validated in EVSClient.