Hi Prabath, id (scimId attribute) Mandatory attribute, Random value generated by each Service Provider, Unique to each service provider, immutable
exernalId Is not an mandatory attribute, Will be generated by consumers, unique across all Service Providers, not immutable userName Mandatory attribute, generated by consumer, unique across all Service Providers, immutable 1. SCIM consumer sends a provisioning request to IS - which is the SCIM CSP. If exernalId is available it will be stored as a user attribute. Randomly created a id and store under scimId attribute 2. [1] & Identity Server provisions the user to other CSPs If externalId available it will provision to other service providers scimId will not provision, each service provider will create its own scimId 3. Adding user from the IS management console and provision the user to other connected CSP. When a user added from Management console automatically scimId generated and stored as user attribute. externalId will not be generated When that user provision to other service providers it will work as scenario [2] In all of these scenarios username will be unique and will provision to other service providers. Users generated from Management console will provision to service providers only if they are configured as global service providers. implementation will not change for LDAP and JDBC but in LDAP or AD claim mapping should be set to SCIM attributes (externalId, scimId etc). IMO externalId is not an useful attribute in the spec. [1] here there are some arguments on this. [1] http://www.infoq.com/articles/scim-data-model-limitations Please add something mission or wrong. Thanks, On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena <[email protected]>wrote: > There are three use cases.. > > 1. SCIM consumer sends a provisioning request to IS - which is the SCIM > CSP. > 2. [1] & Identity Server provisions the user to other CSPs > 3. Adding user from the IS management console and provision the user to > other connected CSP. > > How do we handle id/externalid/userName in above three cases..? Also > please explain this both in the case of LDAP and JDBC based user stores. > > For [2] and [3] - what is the externalid we have..? > > *id* Unique identifier for the SCIM Resource as defined by the Service > Provider. Each representation of the Resource MUST include a non-empty id > value. This identifier MUST be unique across the Service Provider’s entire > set of Resources. It MUST be a stable, non-reassignable identifier that > does not change when the same Resource is returned in subsequent requests. > The value of the id attribute is always issued by the Service Provider and > MUST never be specified by the Service Consumer. bulkId: is a reserved > keyword and MUST NOT be used in the unique identifier. REQUIRED and > READ-ONLY. > > *externalId* An identifier for the Resource as defined by the Service > Consumer. The externalId may simplify identification of the Resource > between Service Consumer and Service provider by allowing the Consumer to > refer to the Resource with its own identifier, obviating the need to store > a local mapping between the local identifier of the Resource and the > identifier used by the Service Provider. Each Resource MAY include a > non-empty externalId value.The value of the externalId attribute is always > issued be the Service Consumer and can never be specified by the Service > Provider. The Service Provider MUST always interpret the externalId as > scoped to the Service Consumer’s tenant. > > *userName* Unique identifier for the User, typically used by the user to > directly authenticate to the service provider. Often displayed to the user > as their unique identifier within the system (as > opposed to id or externalId, which are generally opaque and not > user-friendly identifiers). Each User MUST include a non-empty userName > value. This identifier MUST be unique across the Service Consumer’s entire > set of Users. REQUIRED. > > > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > -- Ishara Karunarathna Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 718211678
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
