XACML trying to pull any of a list of values from azure roles

Question

I've looked at a lot of XACML questions on here but I just can't get this to resolve right. I'm in a policy using WSO2 Identity, and I'm trying to allow access if a person is in a few of a collection of roles. My rules are:

   <Rule Effect="Permit" RuleId="permit_by_claims">
      <Condition>
         <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-at-least-one-member-of">
            <AttributeDesignator AttributeId="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" Category="urn:oasis:names:tc:xacml:3.0:attribute-category:resource" DataType="http://www.w3.org/2001/XMLSchema#string" MustBePresent="false"></AttributeDesignator>
            <Apply FunctionId="urn:oasis:names:tc:xacml:1.0:function:string-bag">
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">AG-ROLE-STAFF</AttributeValue>
               <AttributeValue DataType="http://www.w3.org/2001/XMLSchema#string">AG-ROLE-FACULTY</AttributeValue>
            </Apply>
         </Apply>
      </Condition>
   </Rule>
   <Rule Effect="Deny" RuleId="deny_others"></Rule>

And in the saml response to my auth request is:

    <saml2:Attribute Name="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">AG-ROLE-STUDENT</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">AG-ROLE-STAFF</saml2:AttributeValue>
        <saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xsd:string">AG-DEPT-ITS</saml2:AttributeValue>
     </saml2:Attribute>

I don't know why that first rule is not being applied. It's just giving me a policy deny when I try to log in.

Thank you.

EDIT: Adding the policy line.

    <Policy xmlns="urn:oasis:names:tc:xacml:3.0:core:schema:wd-17"  PolicyId="authn_user_claim_based_policy_template" RuleCombiningAlgId="urn:oasis:names:tc:xacml:1.0:rule-combining-algorithm:first-applicable" Version="1.0">

Answer 1

First of all, we'd need to see how the 2 rules are combined. If it's a deny-overrides then the first rule will be masked.

Secondly, you don't need a condition (and therefore a rule) to do the check. A simple target would have done the trick given you are comparing a potentially multi-valued attribute to 2 values. Just do a=="..." OR a=="...". XML is hard to read so use alfa instead.

Thirdly, we need to see how the attributes are extracted from the SAML request and used in the XACML request because it's the latter that matters when comparing against a policy.

Finally, I find it a bit odd that the category is urn:oasis:names:tc:xacml:3.0:attribute-category:resource. I would expect a subject category for attributes coming from a SAML request.