On Tue, Oct 22, 2013 at 3:09 PM, Ishara Karunarathna <[email protected]>wrote:
> No, We do not maintain a list, instead we get the scimId of the user being > provisioned from the particular provider > by filtering with user name. > So - for each outbound provisioning - there are two calls..? One to get the id - and then to do the actual SCIM provisioning request ? Thanks & regards, -Prabath > > In consumer side externaid is useful, but in the [2] case it would be > better if we need, keep returned scimId's mapping to > Consumer's scimId as it it unique. > > Thanks, > -Ishara > > > On Tue, Oct 22, 2013 at 4:53 AM, Prabath Siriwardena <[email protected]>wrote: > >> When IS provisions users to other connected systems - are we maintaining >> the list of id's returned by each CSP...? >> >> IMO externaid is also useful. A given externalid could map to multiple >> id's returned by CSPs. >> >> Thanks & regards, >> -Prabath >> >> >> On Tue, Oct 22, 2013 at 8:25 AM, Ishara Karunarathna <[email protected]>wrote: >> >>> Hi Prabath, >>> >>> id (scimId attribute) >>> Mandatory attribute, Random value generated by each Service Provider, >>> Unique to each service provider, immutable >>> >>> exernalId >>> Is not an mandatory attribute, Will be generated by consumers, unique >>> across all Service Providers, not immutable >>> >>> userName >>> Mandatory attribute, generated by consumer, unique across all Service >>> Providers, immutable >>> >>> >>> >>> 1. SCIM consumer sends a provisioning request to IS - which is the SCIM >>> CSP. >>> If exernalId is available it will be stored as a user attribute. >>> Randomly created a id and store under scimId attribute >>> >>> >>> 2. [1] & Identity Server provisions the user to other CSPs >>> If externalId available it will provision to other service providers >>> scimId will not provision, each service provider will create its own >>> scimId >>> >>> >>> 3. Adding user from the IS management console and provision the user to >>> other connected CSP. >>> When a user added from Management console automatically scimId generated >>> and stored as user attribute. >>> externalId will not be generated >>> When that user provision to other service providers it will work as >>> scenario [2] >>> >>> In all of these scenarios username will be unique and will provision to >>> other service providers. >>> >>> Users generated from Management console will provision to service >>> providers only if they are configured as global service providers. >>> >>> implementation will not change for LDAP and JDBC but in LDAP or AD claim >>> mapping should be set to SCIM attributes (externalId, scimId etc). >>> >>> IMO externalId is not an useful attribute in the spec. [1] here there >>> are some arguments on this. >>> [1] http://www.infoq.com/articles/scim-data-model-limitations >>> >>> Please add something mission or wrong. >>> >>> Thanks, >>> >>> >>> On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena >>> <[email protected]>wrote: >>> >>>> There are three use cases.. >>>> >>>> 1. SCIM consumer sends a provisioning request to IS - which is the SCIM >>>> CSP. >>>> 2. [1] & Identity Server provisions the user to other CSPs >>>> 3. Adding user from the IS management console and provision the user to >>>> other connected CSP. >>>> >>>> How do we handle id/externalid/userName in above three cases..? Also >>>> please explain this both in the case of LDAP and JDBC based user stores. >>>> >>>> For [2] and [3] - what is the externalid we have..? >>>> >>>> *id* Unique identifier for the SCIM Resource as defined by the Service >>>> Provider. Each representation of the Resource MUST include a non-empty id >>>> value. This identifier MUST be unique across the Service Provider’s entire >>>> set of Resources. It MUST be a stable, non-reassignable identifier that >>>> does not change when the same Resource is returned in subsequent requests. >>>> The value of the id attribute is always issued by the Service Provider and >>>> MUST never be specified by the Service Consumer. bulkId: is a reserved >>>> keyword and MUST NOT be used in the unique identifier. REQUIRED and >>>> READ-ONLY. >>>> >>>> *externalId* An identifier for the Resource as defined by the Service >>>> Consumer. The externalId may simplify identification of the Resource >>>> between Service Consumer and Service provider by allowing the Consumer to >>>> refer to the Resource with its own identifier, obviating the need to store >>>> a local mapping between the local identifier of the Resource and the >>>> identifier used by the Service Provider. Each Resource MAY include a >>>> non-empty externalId value.The value of the externalId attribute is always >>>> issued be the Service Consumer and can never be specified by the Service >>>> Provider. The Service Provider MUST always interpret the externalId as >>>> scoped to the Service Consumer’s tenant. >>>> >>>> *userName* Unique identifier for the User, typically used by the user >>>> to directly authenticate to the service provider. Often displayed to the >>>> user as their unique identifier within the system (as >>>> opposed to id or externalId, which are generally opaque and not >>>> user-friendly identifiers). Each User MUST include a non-empty userName >>>> value. This identifier MUST be unique across the Service Consumer’s entire >>>> set of Users. REQUIRED. >>>> >>>> >>>> Thanks & Regards, >>>> Prabath >>>> >>>> Mobile : +94 71 809 6732 >>>> >>>> http://blog.facilelogin.com >>>> http://RampartFAQ.com >>>> >>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Software Engineer >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 >>> 718211678 >>> >> >> >> >> -- >> Thanks & Regards, >> Prabath >> >> Mobile : +94 71 809 6732 >> >> http://blog.facilelogin.com >> http://RampartFAQ.com >> > > > > -- > Ishara Karunarathna > Software Engineer > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 > 718211678 > -- Thanks & Regards, Prabath Mobile : +94 71 809 6732 http://blog.facilelogin.com http://RampartFAQ.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
