Hi,
On Tue, Oct 22, 2013 at 9:53 AM, Prabath Siriwardena <[email protected]>wrote: > What is the endpoint we are doing the PUT..? I guess its just /Users - > with no id. > Yes we use the same endpoint to do the PUT operation > In that case is it correct to assume that CSP will find the resource from > the userName in the request ? Also is it correct to assume that userName > does not get change in the connected systems ? > Yes, in this case user name might have been changed in the CSP. This is an issue we face since we are not generating an externalId from IS as a SCIM consumer. But IMO its better if we can keep the SCIM ID in the consumer side (IS as the consumer in this case). Then when IS sends a request to a SCIM provider, correct ID can be found from the consumer side and even though the user name has been changed in the provider side, operation will work as expected. This was discussed under a separate thread (Is userName SCIM claim immutable in WSO2 IS ?) > > Also - how spec compliant - is it to do a PUT directly on Users ? > Doing a PUT operation on user resource is acceptable but this operation will replace the resource. We need to implement the PATCH operation in order to perform correct update operation. > > Thanks & regards, > -Prabath > > On Tue, Oct 22, 2013 at 5:01 PM, Venura Kahawala <[email protected]> wrote: > >> Hi, >> >> We do not send two separate calls, Since user name is a unique attribute >> SCIM providers handle the request by taking the user name and identifying >> to which resource the operation should be applied. >> >> Regards, >> Venura >> >> >> On Tue, Oct 22, 2013 at 9:15 AM, Prabath Siriwardena <[email protected]>wrote: >> >>> >>> On Tue, Oct 22, 2013 at 3:09 PM, Ishara Karunarathna >>> <[email protected]>wrote: >>> >>>> No, We do not maintain a list, instead we get the scimId of the user >>>> being provisioned from the particular provider >>>> by filtering with user name. >>>> >>> >>> So - for each outbound provisioning - there are two calls..? One to get >>> the id - and then to do the actual SCIM provisioning request ? >>> >>> Thanks & regards, >>> -Prabath >>> >>>> >>>> In consumer side externaid is useful, but in the [2] case it would be >>>> better if we need, keep returned scimId's mapping to >>>> Consumer's scimId as it it unique. >>>> >>>> Thanks, >>>> -Ishara >>>> >>>> >>>> On Tue, Oct 22, 2013 at 4:53 AM, Prabath Siriwardena >>>> <[email protected]>wrote: >>>> >>>>> When IS provisions users to other connected systems - are we >>>>> maintaining the list of id's returned by each CSP...? >>>>> >>>>> IMO externaid is also useful. A given externalid could map to multiple >>>>> id's returned by CSPs. >>>>> >>>>> Thanks & regards, >>>>> -Prabath >>>>> >>>>> >>>>> On Tue, Oct 22, 2013 at 8:25 AM, Ishara Karunarathna <[email protected] >>>>> > wrote: >>>>> >>>>>> Hi Prabath, >>>>>> >>>>>> id (scimId attribute) >>>>>> Mandatory attribute, Random value generated by each Service Provider, >>>>>> Unique to each service provider, immutable >>>>>> >>>>>> exernalId >>>>>> Is not an mandatory attribute, Will be generated by consumers, unique >>>>>> across all Service Providers, not immutable >>>>>> >>>>>> userName >>>>>> Mandatory attribute, generated by consumer, unique across all Service >>>>>> Providers, immutable >>>>>> >>>>>> >>>>>> >>>>>> 1. SCIM consumer sends a provisioning request to IS - which is the >>>>>> SCIM CSP. >>>>>> If exernalId is available it will be stored as a user attribute. >>>>>> Randomly created a id and store under scimId attribute >>>>>> >>>>>> >>>>>> 2. [1] & Identity Server provisions the user to other CSPs >>>>>> If externalId available it will provision to other service providers >>>>>> scimId will not provision, each service provider will create its own >>>>>> scimId >>>>>> >>>>>> >>>>>> 3. Adding user from the IS management console and provision the user >>>>>> to other connected CSP. >>>>>> When a user added from Management console automatically scimId >>>>>> generated and stored as user attribute. >>>>>> externalId will not be generated >>>>>> When that user provision to other service providers it will work as >>>>>> scenario [2] >>>>>> >>>>>> In all of these scenarios username will be unique and will provision >>>>>> to other service providers. >>>>>> >>>>>> Users generated from Management console will provision to service >>>>>> providers only if they are configured as global service providers. >>>>>> >>>>>> implementation will not change for LDAP and JDBC but in LDAP or AD >>>>>> claim mapping should be set to SCIM attributes (externalId, scimId etc). >>>>>> >>>>>> IMO externalId is not an useful attribute in the spec. [1] here there >>>>>> are some arguments on this. >>>>>> [1] http://www.infoq.com/articles/scim-data-model-limitations >>>>>> >>>>>> Please add something mission or wrong. >>>>>> >>>>>> Thanks, >>>>>> >>>>>> >>>>>> On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena < >>>>>> [email protected]> wrote: >>>>>> >>>>>>> There are three use cases.. >>>>>>> >>>>>>> 1. SCIM consumer sends a provisioning request to IS - which is the >>>>>>> SCIM CSP. >>>>>>> 2. [1] & Identity Server provisions the user to other CSPs >>>>>>> 3. Adding user from the IS management console and provision the user >>>>>>> to other connected CSP. >>>>>>> >>>>>>> How do we handle id/externalid/userName in above three cases..? >>>>>>> Also please explain this both in the case of LDAP and JDBC based user >>>>>>> stores. >>>>>>> >>>>>>> For [2] and [3] - what is the externalid we have..? >>>>>>> >>>>>>> *id* Unique identifier for the SCIM Resource as defined by the >>>>>>> Service Provider. Each representation of the Resource MUST include a >>>>>>> non-empty id value. This identifier MUST be unique across the Service >>>>>>> Provider’s entire set of Resources. It MUST be a stable, >>>>>>> non-reassignable >>>>>>> identifier that does not change when the same Resource is returned in >>>>>>> subsequent requests. The value of the id attribute is always issued by >>>>>>> the >>>>>>> Service Provider and MUST never be specified by the Service Consumer. >>>>>>> bulkId: is a reserved keyword and MUST NOT be used in the unique >>>>>>> identifier. REQUIRED and READ-ONLY. >>>>>>> >>>>>>> *externalId* An identifier for the Resource as defined by the >>>>>>> Service Consumer. The externalId may simplify identification of the >>>>>>> Resource between Service Consumer and Service provider by allowing the >>>>>>> Consumer to refer to the Resource with its own identifier, obviating the >>>>>>> need to store a local mapping between the local identifier of the >>>>>>> Resource >>>>>>> and the identifier used by the Service Provider. Each Resource MAY >>>>>>> include >>>>>>> a non-empty externalId value.The value of the externalId attribute is >>>>>>> always issued be the Service Consumer and can never be specified by the >>>>>>> Service Provider. The Service Provider MUST always interpret the >>>>>>> externalId >>>>>>> as scoped to the Service Consumer’s tenant. >>>>>>> >>>>>>> *userName* Unique identifier for the User, typically used by the >>>>>>> user to directly authenticate to the service provider. Often displayed >>>>>>> to >>>>>>> the user as their unique identifier within the system (as >>>>>>> opposed to id or externalId, which are generally opaque and not >>>>>>> user-friendly identifiers). Each User MUST include a non-empty userName >>>>>>> value. This identifier MUST be unique across the Service Consumer’s >>>>>>> entire >>>>>>> set of Users. REQUIRED. >>>>>>> >>>>>>> >>>>>>> Thanks & Regards, >>>>>>> Prabath >>>>>>> >>>>>>> Mobile : +94 71 809 6732 >>>>>>> >>>>>>> http://blog.facilelogin.com >>>>>>> http://RampartFAQ.com >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Software Engineer >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 >>>>>> 718211678 >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Prabath >>>>> >>>>> Mobile : +94 71 809 6732 >>>>> >>>>> http://blog.facilelogin.com >>>>> http://RampartFAQ.com >>>>> >>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Software Engineer >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94 >>>> 718211678 >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >> >> >> >> -- >> Senior Software Engineer >> >> Mobile: +94 71 82 300 20 >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > Both above mentioned improvements have been suggested in the SCIM road map thread ([IS] Roadmap for user/identity provisioning). Regards, Venura -- Senior Software Engineer Mobile: +94 71 82 300 20
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
