1. What is an Application under the context of Identity Server ? Its a consumer of identity attributes, roles (and groups), authentication methods/ policies and authorization policies. In practice, this could be a web application,mobile application - or even a desktop application.
*- Identity attributes* A given user can be allowed to maintain his own set of attributes against different registered Applications. (multiple profiles) *- Permission / Roles* A given Application can maintain its own set of permissions with the Identity Server. That is, a given application can maintain its own set of resources and actions. For IS - Carbon is just another application - and its permissions / roles will be maintained as it is today. *- Authentication Policies.* A given Application can have its own set of trusted SAML2 IdPs + SAML response requirements(what attributes should be there, signed or not). It's own OAuth client key/secret. Its own WS-trust/STS policies. Also it can have its own user store. *- Authorization* *Policies* This is how we relate available permissions for an Application, to its roles. This can be finally represented in XACML. 2. How does this relate to multi-tenancy ? A given tenant can have its own set of Applications. 3. How does this work with Carbon ? Carbon it self is just another registered Application. 4. Don't we already have the Application concept in IS ? Yes.. we do.. but that is scattered across. In OAuth - we uniquely identify an application from the client key. When define a SAML2 Service Provider - we identify it by the EntityId. We don't have such concept for roles, permission, authorization policies. Idea is to unify this across the platform. The unique identifier of an application would be the client key. And for the administrative operations we need to provider an API - which is protected with OAuth. 5. Would this change the Identity Server Management Console UI ? Yes. We need to have a tab for defining and listing Applications. Also other tabs also need to absorb the Application concept while grouping. 6. How does this differ from the Application we create in API Manager ? It's the same + more capabilities. 7. How does this relate to Web Applications we host in Application Server ? Its the same. You define QoS parameters for those applications from this. Ideas, thoughts, questions mostly welcome.. Thanks & regards, -Prabath
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
