Hi all, Thank you very much for the feedback.
I didn't know about the puppet usecase. Yes, then we'll have to keep this. Thanks & Regards, Dulanja On Mon, Sep 23, 2013 at 6:49 PM, Prabath Siriwardena <[email protected]>wrote: > Good point Dimuthu..! > > I think we need to keep this configuration file. > > First we look for the SAML trusted SP configuration from the Tenant's > registry - in case of super tenant, that'll be super tenant registry - if a > match found we use that - if not we look for the configuration file. In > that way - any tenant can use its own trusted SPs. > > Thanks & regards, > -Prabath > > > On Mon, Sep 23, 2013 at 6:20 PM, Dimuthu Leelarathne <[email protected]>wrote: > >> Hi Dulanja, >> >> What about cloud deployments? Current config files enable us to >> puppet-ize the deployment. When you do this it will no longer be able to do >> the deployment. >> >> If the problem is rewriting sso-idp-config.xml each time you add a >> parameter, then it is the problem of the code. We can write config file >> parsers in a very extensible way. For example refer [1]. We rarely write >> our configuration parser. >> >> And if you want to specify super tenant only SPs you can add a new >> parameter. >> >> Since this suggestion doesn't facilitate deployments I am -1 for this. If >> you can provide a solution for the deployment then I'll withdraw the -1. >> >> thanks, >> dimuthu >> >> >> [1] >> https://svn.wso2.org/repos/wso2/scratch/appfactory/components/appfac/org.wso2.carbon.appfactory.common/1.1.0/src/main/java/org/wso2/carbon/appfactory/common/util/AppFactoryUtil.java >> >> >> On Mon, Sep 23, 2013 at 6:01 PM, Nuwan Bandara <[email protected]> wrote: >> >>> great >>> >>> >>> On Mon, Sep 23, 2013 at 5:57 PM, Dulanja Liyanage <[email protected]>wrote: >>> >>>> Hi Nuwan, >>>> >>>> IS already has IdentitySAMLSSOConfigService for that purpose. >>>> >>>> Thanks & Regards, >>>> Dulanja >>>> >>>> >>>> On Mon, Sep 23, 2013 at 5:47 PM, Nuwan Bandara <[email protected]> wrote: >>>> >>>>> Hi Dulanja >>>>> >>>>> >>>>> On Mon, Sep 23, 2013 at 5:43 PM, Dulanja Liyanage <[email protected]>wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> AFAIK, AF and UES products are currently using the >>>>>> 'sso-idp-config.xml' file to store the SAML SSO Service Provider (SP) >>>>>> configurations. The main purpose of that is to write SP configuration >>>>>> *once* and use it for all the tenants. This removes the burden of >>>>>> adding the *same set* of SPs for each Tenant via the IdP UI. >>>>>> >>>>>> However, the downsides of this is, when a new feature/option is added >>>>>> to the Identity Server's SP registration page, this file should be * >>>>>> also* changed and the file read logic should be modified >>>>>> accordingly. To avoid this, we are looking at the possibility of removing >>>>>> the usage of that file - allowing changes to be incorporated with minimum >>>>>> effort. >>>>>> >>>>>> One plausible way is to always save the tenant-shared configurations >>>>>> via the SP registration UI of the Super Admin. Since sso-idp-config.xml >>>>>> is >>>>>> also configured by the Super Admin, there shouldn't be any harm doing >>>>>> this. >>>>>> >>>>>> So, to validate the SP when a SAML request comes for a tenant user, >>>>>> code logic should first check tenant's own configurations in his >>>>>> registry, >>>>>> and if no relevant SP is found (by using the issuer ID), then check Super >>>>>> Admin's configuration from the registry for the shared SPs. >>>>>> >>>>>> But, what if Super Admin wants to maintain a set of SPs only for his >>>>>> users. (i.e non-shareable SPs) ? >>>>>> >>>>>> To cater this, we can introduce a new option to SP registration UI to >>>>>> specify whether a particular SP is shared or not. >>>>>> >>>>>> This would be the first step of improving the tenant story in SAML >>>>>> SSO. Appreciate your ideas on this. >>>>>> >>>>> >>>>> +1, for the idea, please provide a service to register SPs, because >>>>> not always we use the mgt-console UI to register new SPs. >>>>> >>>>> Regards, >>>>> /Nuwan >>>>> >>>>> >>>>>> >>>>>> Thanks & Regards, >>>>>> Dulanja >>>>>> >>>>>> -- >>>>>> Dulanja Liyanage >>>>>> Senior Software Engineer - WSO2 Inc. >>>>>> M: +94776764717 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> *Thanks & Regards, >>>>> >>>>> Nuwan Bandara >>>>> Technical Lead; **WSO2 Inc. * >>>>> *lean . enterprise . middleware | http://wso2.com * >>>>> *blog : http://nuwanbando.com; email: [email protected]; phone: +94 11 >>>>> 214 5345 >>>>> * >>>>> <http://www.nuwanbando.com/> >>>>> >>>> >>>> >>>> >>>> -- >>>> Dulanja Liyanage >>>> Senior Software Engineer - WSO2 Inc. >>>> M: +94776764717 >>>> >>> >>> >>> >>> -- >>> *Thanks & Regards, >>> >>> Nuwan Bandara >>> Technical Lead; **WSO2 Inc. * >>> *lean . enterprise . middleware | http://wso2.com * >>> *blog : http://nuwanbando.com; email: [email protected]; phone: +94 11 214 >>> 5345 >>> * >>> <http://www.nuwanbando.com/> >>> >> >> >> >> -- >> Dimuthu Leelarathne >> Architect & Product Lead of App Factory >> >> WSO2, Inc. (http://wso2.com) >> email: [email protected] >> Mobile : 0773661935 >> >> Lean . Enterprise . Middleware >> > > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > -- Dulanja Liyanage Senior Software Engineer - WSO2 Inc. M: +94776764717
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
