No, We do not maintain a list, instead we get the scimId of the user being provisioned from the particular provider by filtering with user name.
In consumer side externaid is useful, but in the [2] case it would be better if we need, keep returned scimId's mapping to Consumer's scimId as it it unique. Thanks, -Ishara On Tue, Oct 22, 2013 at 4:53 AM, Prabath Siriwardena <[email protected]>wrote: > When IS provisions users to other connected systems - are we maintaining > the list of id's returned by each CSP...? > > IMO externaid is also useful. A given externalid could map to multiple > id's returned by CSPs. > > Thanks & regards, > -Prabath > > > On Tue, Oct 22, 2013 at 8:25 AM, Ishara Karunarathna <[email protected]>wrote: > >> Hi Prabath, >> >> id (scimId attribute) >> Mandatory attribute, Random value generated by each Service Provider, >> Unique to each service provider, immutable >> >> exernalId >> Is not an mandatory attribute, Will be generated by consumers, unique >> across all Service Providers, not immutable >> >> userName >> Mandatory attribute, generated by consumer, unique across all Service >> Providers, immutable >> >> >> >> 1. SCIM consumer sends a provisioning request to IS - which is the SCIM >> CSP. >> If exernalId is available it will be stored as a user attribute. >> Randomly created a id and store under scimId attribute >> >> >> 2. [1] & Identity Server provisions the user to other CSPs >> If externalId available it will provision to other service providers >> scimId will not provision, each service provider will create its own >> scimId >> >> >> 3. Adding user from the IS management console and provision the user to >> other connected CSP. >> When a user added from Management console automatically scimId generated >> and stored as user attribute. >> externalId will not be generated >> When that user provision to other service providers it will work as >> scenario [2] >> >> In all of these scenarios username will be unique and will provision to >> other service providers. >> >> Users generated from Management console will provision to service >> providers only if they are configured as global service providers. >> >> implementation will not change for LDAP and JDBC but in LDAP or AD claim >> mapping should be set to SCIM attributes (externalId, scimId etc). >> >> IMO externalId is not an useful attribute in the spec. [1] here there are >> some arguments on this. >> [1] http://www.infoq.com/articles/scim-data-model-limitations >> >> Please add something mission or wrong. >> >> Thanks, >> >> >> On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena >> <[email protected]>wrote: >> >>> There are three use cases.. >>> >>> 1. SCIM consumer sends a provisioning request to IS - which is the SCIM >>> CSP. >>> 2. [1] & Identity Server provisions the user to other CSPs >>> 3. Adding user from the IS management console and provision the user to >>> other connected CSP. >>> >>> How do we handle id/externalid/userName in above three cases..? Also >>> please explain this both in the case of LDAP and JDBC based user stores. >>> >>> For [2] and [3] - what is the externalid we have..? >>> >>> *id* Unique identifier for the SCIM Resource as defined by the Service >>> Provider. Each representation of the Resource MUST include a non-empty id >>> value. This identifier MUST be unique across the Service Provider’s entire >>> set of Resources. It MUST be a stable, non-reassignable identifier that >>> does not change when the same Resource is returned in subsequent requests. >>> The value of the id attribute is always issued by the Service Provider and >>> MUST never be specified by the Service Consumer. bulkId: is a reserved >>> keyword and MUST NOT be used in the unique identifier. REQUIRED and >>> READ-ONLY. >>> >>> *externalId* An identifier for the Resource as defined by the Service >>> Consumer. The externalId may simplify identification of the Resource >>> between Service Consumer and Service provider by allowing the Consumer to >>> refer to the Resource with its own identifier, obviating the need to store >>> a local mapping between the local identifier of the Resource and the >>> identifier used by the Service Provider. Each Resource MAY include a >>> non-empty externalId value.The value of the externalId attribute is always >>> issued be the Service Consumer and can never be specified by the Service >>> Provider. The Service Provider MUST always interpret the externalId as >>> scoped to the Service Consumer’s tenant. >>> >>> *userName* Unique identifier for the User, typically used by the user >>> to directly authenticate to the service provider. Often displayed to the >>> user as their unique identifier within the system (as >>> opposed to id or externalId, which are generally opaque and not >>> user-friendly identifiers). Each User MUST include a non-empty userName >>> value. This identifier MUST be unique across the Service Consumer’s entire >>> set of Users. REQUIRED. >>> >>> >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >> >> >> >> -- >> Ishara Karunarathna >> Software Engineer >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 >> 718211678 >> > > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > -- Ishara Karunarathna Software Engineer WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 718211678
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
