WSO2 Identity Server XACML Policies with XPathVersion being XPath 2.0

Question

I've written a policy (contained below) that uses XPath 2.0 features, for use with WSO2 Identity Server. I've specified the correct value in the XPathVersion element, but I'm still getting errors that point to the XPath expression not being evaluated as XPath 2.0.

I'm pretty sure WSO2 Identity Server isn't using the value of the XPathVersion element, as when I change it to something invalid (such as "this-is-not-a-valid-xpath-version") it doesn't complain and still evaluates XPath expressions (albeit as XPath 1.0.)

My policy:

<Policy PolicyId="application-dashu" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <PolicyDefaults>
    <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
  </PolicyDefaults>
  <Target>
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:siphon-io:schema:application:dashu</AttributeValue>
          <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Rule Effect="Permit" RuleId="permit-index">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
          </Apply>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index</AttributeValue>
        </Apply>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
          <AttributeSelector
            MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
            Path="/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Instance']/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Tag']/concat('{', attribute::Name, '}', text())"
            DataType="http://www.w3.org/2001/XMLSchema#string"
            />
          <AttributeSelector
            MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
            Path="/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Assertion']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeStatement']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Attribute']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeValue']/concat('{', parent::node()/attribute::Name, '}', text())"
            DataType="http://www.w3.org/2001/XMLSchema#string"
            />
        </Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy>

My request:

<p0:Request CombinedDecision="false" ReturnPolicyIdList="false" xmlns:p0="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <p0:Attributes Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject">
    <p0:Content>
      <saml:Assertion ID="_u5Ik0MW0G5jNlnFsYG6DGvl7j0WEmBJR" IssueInstant="2013-12-12T23:11:02.354Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">
        <saml:Issuer>urn:movingdata.auth0.com</saml:Issuer>
        <saml:Subject>
          <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified">auth0|b939821bd143c2d075e2feaf0220b6ed09212cc9</saml:NameID>
          <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
            <saml:SubjectConfirmationData InResponseTo="request-1386889754280-nusav-zotop-rizul" NotOnOrAfter="2013-12-13T00:11:02.354Z" Recipient="http://dashboard.dbsu.com/auth/saml2/sso/post"/>
          </saml:SubjectConfirmation>
        </saml:Subject>
        <saml:Conditions NotBefore="2013-12-12T23:11:02.354Z" NotOnOrAfter="2013-12-13T00:11:02.354Z">
          <saml:AudienceRestriction/>
        </saml:Conditions>
        <saml:AttributeStatement>
          <saml:Attribute Name="urn:siphon-io:customer:dbsu:project">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">99-101</saml:AttributeValue>
          </saml:Attribute>
          <saml:Attribute Name="urn:siphon-io:customer:dbsu:project">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">99-102</saml:AttributeValue>
          </saml:Attribute>
          <saml:Attribute Name="urn:siphon-io:customer:dbsu:project">
            <saml:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:anyType">99-103</saml:AttributeValue>
          </saml:Attribute>
        </saml:AttributeStatement>
        <saml:AuthnStatement AuthnInstant="2013-12-12T23:11:02.354Z">
          <saml:AuthnContext>
            <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef>
          </saml:AuthnContext>
        </saml:AuthnStatement>
      </saml:Assertion>
    </p0:Content>
  </p0:Attributes>
  <p0:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource">
    <p0:Content>
      <p1:Instance xmlns:p1="urn:siphon-io:schema:application:dashu" Host="dashboard.dbsu.com" ID="81ffe0de0ab298abf33f582e3909b9c6de1f7e97">
        <p1:Tag Name="urn:siphon-io:customer:dbsu:project">99-101</p1:Tag>
      </p1:Instance>
    </p0:Content>
    <p0:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" IncludeInResult="false">
      <p0:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:siphon-io:schema:application:dashu</p0:AttributeValue>
    </p0:Attribute>
  </p0:Attributes>
  <p0:Attributes Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action">
    <p0:Attribute AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" IncludeInResult="false">
      <p0:AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index</p0:AttributeValue>
    </p0:Attribute>
  </p0:Attributes>
</p0:Request>

Answer 1

WSO2 Identity Server is shipped with xalan 2.7.1 (which can be found at /lib/endorsed) And xalan 2.7.1 does not support XPath 2.0. Therefore Identity Server would not support Xpath 2.0. This is a know thing with Identity Server. I guess, we can remove the xalan 2.7.1 from distribution and use some thing like saxon. (I did not try it). I guess, It would be done in future release soon. However, I tried your policy and request with latest version 4.5.0. But there was some problem with "concat" function and may be due to XPath 2.0 issue as you have mentioned. Once i remove "concat", It works as expected. Following is the policy that i modified and it returns the expected result as "Permit" with request that you have given.

<Policy PolicyId="application-dashu" RuleCombiningAlgId="urn:oasis:names:tc:xacml:3.0:rule-combining-algorithm:deny-overrides" Version="1.0" xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17">
  <PolicyDefaults>
    <XPathVersion>http://www.w3.org/TR/2007/REC-xpath20-20070123</XPathVersion>
  </PolicyDefaults>
  <Target>
    <AnyOf>
      <AllOf>
        <Match MatchId="urn:oasis:names:tc:xacml:1.0:function:anyURI-equal">
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#anyURI">urn:siphon-io:schema:application:dashu</AttributeValue>
          <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:resource:target-namespace" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#anyURI" MustBePresent="true"/>
        </Match>
      </AllOf>
    </AnyOf>
  </Target>
  <Rule Effect="Permit" RuleId="permit-index">
    <Condition>
      <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:and">
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-equal">
          <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-one-and-only">
            <AttributeDesignator AttributeId="urn:oasis:names:tc:xacml:1.0:action:action-id" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:action" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="true"/>
          </Apply>
          <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">index</AttributeValue>
        </Apply>
        <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-subset">
          <AttributeSelector
            MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource"
            Path="/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Instance']/*[namespace-uri()='urn:siphon-io:schema:application:dashu' and local-name()='Tag']/text()"
            DataType="http://www.w3.org/2001/XMLSchema#string"
            />
          <AttributeSelector
            MustBePresent="false"
            Category="urn:oasis:names:tc:xacml:1.0:subject-category:access-subject"
            Path="/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Assertion']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeStatement']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='Attribute']/*[namespace-uri()='urn:oasis:names:tc:SAML:2.0:assertion' and local-name()='AttributeValue']/text()"
            DataType="http://www.w3.org/2001/XMLSchema#string"
            />
        </Apply>
      </Apply>
    </Condition>
  </Rule>
</Policy>