When IS provisions users to other connected systems - are we maintaining the list of id's returned by each CSP...?
IMO externaid is also useful. A given externalid could map to multiple id's returned by CSPs. Thanks & regards, -Prabath On Tue, Oct 22, 2013 at 8:25 AM, Ishara Karunarathna <[email protected]>wrote: > Hi Prabath, > > id (scimId attribute) > Mandatory attribute, Random value generated by each Service Provider, > Unique to each service provider, immutable > > exernalId > Is not an mandatory attribute, Will be generated by consumers, unique > across all Service Providers, not immutable > > userName > Mandatory attribute, generated by consumer, unique across all Service > Providers, immutable > > > > 1. SCIM consumer sends a provisioning request to IS - which is the SCIM > CSP. > If exernalId is available it will be stored as a user attribute. > Randomly created a id and store under scimId attribute > > > 2. [1] & Identity Server provisions the user to other CSPs > If externalId available it will provision to other service providers > scimId will not provision, each service provider will create its own scimId > > > 3. Adding user from the IS management console and provision the user to > other connected CSP. > When a user added from Management console automatically scimId generated > and stored as user attribute. > externalId will not be generated > When that user provision to other service providers it will work as > scenario [2] > > In all of these scenarios username will be unique and will provision to > other service providers. > > Users generated from Management console will provision to service > providers only if they are configured as global service providers. > > implementation will not change for LDAP and JDBC but in LDAP or AD claim > mapping should be set to SCIM attributes (externalId, scimId etc). > > IMO externalId is not an useful attribute in the spec. [1] here there are > some arguments on this. > [1] http://www.infoq.com/articles/scim-data-model-limitations > > Please add something mission or wrong. > > Thanks, > > > On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena <[email protected]>wrote: > >> There are three use cases.. >> >> 1. SCIM consumer sends a provisioning request to IS - which is the SCIM >> CSP. >> 2. [1] & Identity Server provisions the user to other CSPs >> 3. Adding user from the IS management console and provision the user to >> other connected CSP. >> >> How do we handle id/externalid/userName in above three cases..? Also >> please explain this both in the case of LDAP and JDBC based user stores. >> >> For [2] and [3] - what is the externalid we have..? >> >> *id* Unique identifier for the SCIM Resource as defined by the Service >> Provider. Each representation of the Resource MUST include a non-empty id >> value. This identifier MUST be unique across the Service Provider’s entire >> set of Resources. It MUST be a stable, non-reassignable identifier that >> does not change when the same Resource is returned in subsequent requests. >> The value of the id attribute is always issued by the Service Provider and >> MUST never be specified by the Service Consumer. bulkId: is a reserved >> keyword and MUST NOT be used in the unique identifier. REQUIRED and >> READ-ONLY. >> >> *externalId* An identifier for the Resource as defined by the Service >> Consumer. The externalId may simplify identification of the Resource >> between Service Consumer and Service provider by allowing the Consumer to >> refer to the Resource with its own identifier, obviating the need to store >> a local mapping between the local identifier of the Resource and the >> identifier used by the Service Provider. Each Resource MAY include a >> non-empty externalId value.The value of the externalId attribute is always >> issued be the Service Consumer and can never be specified by the Service >> Provider. The Service Provider MUST always interpret the externalId as >> scoped to the Service Consumer’s tenant. >> >> *userName* Unique identifier for the User, typically used by the user to >> directly authenticate to the service provider. Often displayed to the user >> as their unique identifier within the system (as >> opposed to id or externalId, which are generally opaque and not >> user-friendly identifiers). Each User MUST include a non-empty userName >> value. This identifier MUST be unique across the Service Consumer’s entire >> set of Users. REQUIRED. >> >> >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> > > > > -- > Ishara Karunarathna > Software Engineer > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 > 718211678 > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
