Hi, Sorry for the trouble, but we do a filtering request to the provider with user name (filter=userNameEq) and get the SCIM id and do the provisioning to the outbound CSP.
Regards, Venura On Tue, Oct 22, 2013 at 11:05 AM, Prabath Siriwardena <[email protected]>wrote: > But for outbound provisioning from IS we cannot do the same now - as we do > not maintain the ids returned by the connected CSPs at the time we add the > user..? > > Thanks & regards, > -Prabath > > > > On Tue, Oct 22, 2013 at 6:21 PM, Venura Kahawala <[email protected]> wrote: > >> Hi, >> >> Yes, I was wrong regarding the endpoint. Here is an example of PUT >> operation on user resource. >> >> curl -v -k --user admin:admin -X *PUT* -d >> "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasinitg","emails":[{"value":" >> [email protected]","type":"work"},{"value":"[email protected]","type":"home"}]}" >> --header "Content-Type:application/json" * >> https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215 >> * >> >> Regards, >> Venura >> >> >> On Tue, Oct 22, 2013 at 10:37 AM, Prabath Siriwardena >> <[email protected]>wrote: >> >>> In that case its with an id - not a direct PUT to /Users. Its like >>> /Users/id >>> >>> To sort out any confusion here we need to look at >>> http://www.w3.org/Protocols/rfc2616/rfc2616-sec9.html#sec9.6 >>> >>> So - it looks like just doing a PUT on /Users is not quite correct - we >>> need to identify the resource in the Request-URI. >>> >>> "The PUT method requests that the enclosed entity be stored under the >>> supplied Request-URI. If the Request-URI refers to an already existing >>> resource, the enclosed entity SHOULD be considered as a modified version of >>> the one residing on the origin server. If the Request-URI does not point to >>> an existing resource, and that URI is capable of being defined as a new >>> resource by the requesting user agent, the origin server can create the >>> resource with that URI. If a new resource is created, the origin server >>> MUST inform the user agent via the 201 (Created) response." >>> >>> Thanks & regards, >>> -Prabath >>> >>> On Tue, Oct 22, 2013 at 5:55 PM, Venura Kahawala <[email protected]>wrote: >>> >>>> Hi, >>>> >>>> >>>> >>>> On Tue, Oct 22, 2013 at 10:17 AM, Prabath Siriwardena <[email protected] >>>> > wrote: >>>> >>>>> >>>>> >>>>> >>>>> On Tue, Oct 22, 2013 at 5:41 PM, Venura Kahawala <[email protected]>wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> Also - how spec compliant - is it to do a PUT directly on Users ? >>>>>>> >>>>>> >>>>>> Doing a PUT operation on user resource is acceptable but this >>>>>> operation will replace the resource. We need to implement the PATCH >>>>>> operation in order to perform correct update operation. >>>>>> >>>>> >>>>> Can you please point to the spec...? >>>>> >>>> >>>> Here [1] it defines the operations supported. In [2] it provides a >>>> sample SCIM PUT operation on user resource. >>>> >>>> >>>>> >>>>> Thanks & regards, >>>>> -Prabath >>>>> >>>>> >>>>>> >>>>>> >>>>>>> >>>>>>> Thanks & regards, >>>>>>> -Prabath >>>>>>> >>>>>>> On Tue, Oct 22, 2013 at 5:01 PM, Venura Kahawala <[email protected]>wrote: >>>>>>> >>>>>>>> Hi, >>>>>>>> >>>>>>>> We do not send two separate calls, Since user name is a unique >>>>>>>> attribute SCIM providers handle the request by taking the user name and >>>>>>>> identifying to which resource the operation should be applied. >>>>>>>> >>>>>>>> Regards, >>>>>>>> Venura >>>>>>>> >>>>>>>> >>>>>>>> On Tue, Oct 22, 2013 at 9:15 AM, Prabath Siriwardena < >>>>>>>> [email protected]> wrote: >>>>>>>> >>>>>>>>> >>>>>>>>> On Tue, Oct 22, 2013 at 3:09 PM, Ishara Karunarathna < >>>>>>>>> [email protected]> wrote: >>>>>>>>> >>>>>>>>>> No, We do not maintain a list, instead we get the scimId of the >>>>>>>>>> user being provisioned from the particular provider >>>>>>>>>> by filtering with user name. >>>>>>>>>> >>>>>>>>> >>>>>>>>> So - for each outbound provisioning - there are two calls..? One >>>>>>>>> to get the id - and then to do the actual SCIM provisioning request ? >>>>>>>>> >>>>>>>>> Thanks & regards, >>>>>>>>> -Prabath >>>>>>>>> >>>>>>>>>> >>>>>>>>>> In consumer side externaid is useful, but in the [2] case it >>>>>>>>>> would be better if we need, keep returned scimId's mapping to >>>>>>>>>> Consumer's scimId as it it unique. >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> -Ishara >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Tue, Oct 22, 2013 at 4:53 AM, Prabath Siriwardena < >>>>>>>>>> [email protected]> wrote: >>>>>>>>>> >>>>>>>>>>> When IS provisions users to other connected systems - are we >>>>>>>>>>> maintaining the list of id's returned by each CSP...? >>>>>>>>>>> >>>>>>>>>>> IMO externaid is also useful. A given externalid could map to >>>>>>>>>>> multiple id's returned by CSPs. >>>>>>>>>>> >>>>>>>>>>> Thanks & regards, >>>>>>>>>>> -Prabath >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> On Tue, Oct 22, 2013 at 8:25 AM, Ishara Karunarathna < >>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>> >>>>>>>>>>>> Hi Prabath, >>>>>>>>>>>> >>>>>>>>>>>> id (scimId attribute) >>>>>>>>>>>> Mandatory attribute, Random value generated by each Service >>>>>>>>>>>> Provider, Unique to each service provider, immutable >>>>>>>>>>>> >>>>>>>>>>>> exernalId >>>>>>>>>>>> Is not an mandatory attribute, Will be generated by consumers, >>>>>>>>>>>> unique across all Service Providers, not immutable >>>>>>>>>>>> >>>>>>>>>>>> userName >>>>>>>>>>>> Mandatory attribute, generated by consumer, unique across all >>>>>>>>>>>> Service Providers, immutable >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 1. SCIM consumer sends a provisioning request to IS - which is >>>>>>>>>>>> the SCIM CSP. >>>>>>>>>>>> If exernalId is available it will be stored as a user attribute. >>>>>>>>>>>> Randomly created a id and store under scimId attribute >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 2. [1] & Identity Server provisions the user to other CSPs >>>>>>>>>>>> If externalId available it will provision to other service >>>>>>>>>>>> providers >>>>>>>>>>>> scimId will not provision, each service provider will create >>>>>>>>>>>> its own scimId >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> 3. Adding user from the IS management console and provision the >>>>>>>>>>>> user to other connected CSP. >>>>>>>>>>>> When a user added from Management console automatically scimId >>>>>>>>>>>> generated and stored as user attribute. >>>>>>>>>>>> externalId will not be generated >>>>>>>>>>>> When that user provision to other service providers it will >>>>>>>>>>>> work as scenario [2] >>>>>>>>>>>> >>>>>>>>>>>> In all of these scenarios username will be unique and will >>>>>>>>>>>> provision to other service providers. >>>>>>>>>>>> >>>>>>>>>>>> Users generated from Management console will provision to >>>>>>>>>>>> service providers only if they are configured as global service >>>>>>>>>>>> providers. >>>>>>>>>>>> >>>>>>>>>>>> implementation will not change for LDAP and JDBC but in LDAP or >>>>>>>>>>>> AD claim mapping should be set to SCIM attributes (externalId, >>>>>>>>>>>> scimId etc). >>>>>>>>>>>> >>>>>>>>>>>> IMO externalId is not an useful attribute in the spec. [1] here >>>>>>>>>>>> there are some arguments on this. >>>>>>>>>>>> [1] http://www.infoq.com/articles/scim-data-model-limitations >>>>>>>>>>>> >>>>>>>>>>>> Please add something mission or wrong. >>>>>>>>>>>> >>>>>>>>>>>> Thanks, >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena < >>>>>>>>>>>> [email protected]> wrote: >>>>>>>>>>>> >>>>>>>>>>>>> There are three use cases.. >>>>>>>>>>>>> >>>>>>>>>>>>> 1. SCIM consumer sends a provisioning request to IS - which is >>>>>>>>>>>>> the SCIM CSP. >>>>>>>>>>>>> 2. [1] & Identity Server provisions the user to other CSPs >>>>>>>>>>>>> 3. Adding user from the IS management console and provision >>>>>>>>>>>>> the user to other connected CSP. >>>>>>>>>>>>> >>>>>>>>>>>>> How do we handle id/externalid/userName in above three >>>>>>>>>>>>> cases..? Also please explain this both in the case of LDAP and >>>>>>>>>>>>> JDBC based >>>>>>>>>>>>> user stores. >>>>>>>>>>>>> >>>>>>>>>>>>> For [2] and [3] - what is the externalid we have..? >>>>>>>>>>>>> >>>>>>>>>>>>> *id* Unique identifier for the SCIM Resource as defined by >>>>>>>>>>>>> the Service Provider. Each representation of the Resource MUST >>>>>>>>>>>>> include a >>>>>>>>>>>>> non-empty id value. This identifier MUST be unique across the >>>>>>>>>>>>> Service >>>>>>>>>>>>> Provider’s entire set of Resources. It MUST be a stable, >>>>>>>>>>>>> non-reassignable >>>>>>>>>>>>> identifier that does not change when the same Resource is >>>>>>>>>>>>> returned in >>>>>>>>>>>>> subsequent requests. The value of the id attribute is always >>>>>>>>>>>>> issued by the >>>>>>>>>>>>> Service Provider and MUST never be specified by the Service >>>>>>>>>>>>> Consumer. >>>>>>>>>>>>> bulkId: is a reserved keyword and MUST NOT be used in the unique >>>>>>>>>>>>> identifier. REQUIRED and READ-ONLY. >>>>>>>>>>>>> >>>>>>>>>>>>> *externalId* An identifier for the Resource as defined by the >>>>>>>>>>>>> Service Consumer. The externalId may simplify identification of >>>>>>>>>>>>> the >>>>>>>>>>>>> Resource between Service Consumer and Service provider by >>>>>>>>>>>>> allowing the >>>>>>>>>>>>> Consumer to refer to the Resource with its own identifier, >>>>>>>>>>>>> obviating the >>>>>>>>>>>>> need to store a local mapping between the local identifier of the >>>>>>>>>>>>> Resource >>>>>>>>>>>>> and the identifier used by the Service Provider. Each Resource >>>>>>>>>>>>> MAY include >>>>>>>>>>>>> a non-empty externalId value.The value of the externalId >>>>>>>>>>>>> attribute is >>>>>>>>>>>>> always issued be the Service Consumer and can never be specified >>>>>>>>>>>>> by the >>>>>>>>>>>>> Service Provider. The Service Provider MUST always interpret the >>>>>>>>>>>>> externalId >>>>>>>>>>>>> as scoped to the Service Consumer’s tenant. >>>>>>>>>>>>> >>>>>>>>>>>>> *userName* Unique identifier for the User, typically used by >>>>>>>>>>>>> the user to directly authenticate to the service provider. Often >>>>>>>>>>>>> displayed >>>>>>>>>>>>> to the user as their unique identifier within the system (as >>>>>>>>>>>>> opposed to id or externalId, which are generally opaque and >>>>>>>>>>>>> not user-friendly identifiers). Each User MUST include a >>>>>>>>>>>>> non-empty userName >>>>>>>>>>>>> value. This identifier MUST be unique across the Service >>>>>>>>>>>>> Consumer’s entire >>>>>>>>>>>>> set of Users. REQUIRED. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Thanks & Regards, >>>>>>>>>>>>> Prabath >>>>>>>>>>>>> >>>>>>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>>>>>> >>>>>>>>>>>>> http://blog.facilelogin.com >>>>>>>>>>>>> http://RampartFAQ.com >>>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> -- >>>>>>>>>>>> Ishara Karunarathna >>>>>>>>>>>> Software Engineer >>>>>>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>>>>>> >>>>>>>>>>>> email: [email protected], blog: isharaaruna.blogspot.com, >>>>>>>>>>>> mobile: +94 718211678 >>>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> -- >>>>>>>>>>> Thanks & Regards, >>>>>>>>>>> Prabath >>>>>>>>>>> >>>>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>>>> >>>>>>>>>>> http://blog.facilelogin.com >>>>>>>>>>> http://RampartFAQ.com >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> Ishara Karunarathna >>>>>>>>>> Software Engineer >>>>>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>>>>> >>>>>>>>>> email: [email protected], blog: isharaaruna.blogspot.com, >>>>>>>>>> mobile: +94 718211678 >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> Thanks & Regards, >>>>>>>>> Prabath >>>>>>>>> >>>>>>>>> Mobile : +94 71 809 6732 >>>>>>>>> >>>>>>>>> http://blog.facilelogin.com >>>>>>>>> http://RampartFAQ.com >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Senior Software Engineer >>>>>>>> >>>>>>>> Mobile: +94 71 82 300 20 >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Thanks & Regards, >>>>>>> Prabath >>>>>>> >>>>>>> Mobile : +94 71 809 6732 >>>>>>> >>>>>>> http://blog.facilelogin.com >>>>>>> http://RampartFAQ.com >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> Both above mentioned improvements have been suggested in the SCIM >>>>>> road map thread ([IS] Roadmap for user/identity provisioning). >>>>>> >>>>>> Regards, >>>>>> Venura >>>>>> >>>>>> -- >>>>>> Senior Software Engineer >>>>>> >>>>>> Mobile: +94 71 82 300 20 >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Prabath >>>>> >>>>> Mobile : +94 71 809 6732 >>>>> >>>>> http://blog.facilelogin.com >>>>> http://RampartFAQ.com >>>>> >>>> >>>> >>>> [1] http://www.simplecloud.info/specs/draft-scim-api-01.html#api >>>> [2] >>>> http://www.simplecloud.info/specs/draft-scim-api-01.html#edit-resource-with-put >>>> >>>> Regards, >>>> Venura >>>> -- >>>> Senior Software Engineer >>>> >>>> Mobile: +94 71 82 300 20 >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> Prabath >>> >>> Mobile : +94 71 809 6732 >>> >>> http://blog.facilelogin.com >>> http://RampartFAQ.com >>> >> >> >> >> -- >> Senior Software Engineer >> >> Mobile: +94 71 82 300 20 >> >> > > > -- > Thanks & Regards, > Prabath > > Mobile : +94 71 809 6732 > > http://blog.facilelogin.com > http://RampartFAQ.com > -- Senior Software Engineer Mobile: +94 71 82 300 20
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
