Common XACML Authorization Profile PIP


This profile is supported since Argus 1.6 (EMI-3).

This PIP allows the PEP client to send only the end-user certificate or proxy as lone Subject Key-Info attribute. It will then parse the certificate, extract all the information from the certificate required by the Common XACML Authorization Profile, and populate the request with attributes found in the certificate/proxy.

This PIP implements the Common XACML Authorization Profile (1.1.1) specifications.


  1. Create a new INI section for you PIP (you may choose any valid INI section name. e.g. COMMONXACMLPROFILE_PIP)
  2. Into the PIP INI section add the parserClass property with the value org.glite.authz.pep.pip.provider.CommonXACMLAuthorizationProfilePIPIniConfigurationParser
  3. To enable VOMS attribute certificate support add the vomsInfoDir property with a value corresponding to the absolute path of the VOMS vomsdir, traditionally /etc/grid-security/vomsdir.
  4. If, in the SECURITY section, the trustInfoDir property is not already set, add it with a value of the absolute filesystem path of your IGTF trust bundle.
  5. Configure which profile IDs are to be accepted, normally

PIP Configuration Properties

Property Description Required? Default Value
acceptedProfileIDs The space separated list of accepted authorization profile IDs No None.
vomsInfoDir The absolute path to the VOMS vomsdir directory. YES None.
vomsInfoRefresh The refresh interval time in minutes of the vomsInfoDir directory. No 60
requireCertificate The request Subject attribute key-info MUST be present in the incoming request. No false
requireProxy The request Subject attribute key-info MUST to be a proxy (PEM encoded proxy chain). No false


If the acceptedProfileIDs is not defined, then all profile IDs present in the request environment profile-id attribute are accepted.

Required Request Attributes

This PIP requires that the request environment contains a profile-id attribute with the profile identifier, and that the request subject contains the certificate, and its chain, that were used to authenticate to the service, in the key-info attribute:

Populated Effective Request Attributes

The PIP will process the request subject key-info attribute and populate the following attributes:

If VOMS support is enabled and a VOMS certificate is included within a user’s proxy certificate, the following attributes will be populated within the request:

Example Configuration

The following example shows a PEP Server configuration with the Common XACML authorization profile PIP enabled, and accepting the EMI Common XACML Authorization profile.

entityId =
hostname =


pdps =

trustInfoDir = /etc/grid-security/certificates

parserClass = org.glite.authz.pep.pip.provider.CommonXACMLAuthorizationProfilePIPIniConfigurationParser
vomsInfoDir = /etc/grid-security/vomsdir
acceptedProfileIDs =