I guess from the Identity Server's point of view - we should have the ability to enforce an authorization policy for an identity provider - at the service provider level..
This authorization policy can be a pointer to a XACML policy - and can be just role based or just attribute based. If its XACML based - then from the Advanced Authentication Configuration (in the SP UI) - under the Identity Provider - we should be able to link to a XACML policy in the server. If its just role based - the UI should list the roles available at the Identity Provider (picked from the IdP config) and filter out the required roles for the particular service provider. If its attribute based - the UI should list IdP claims available at the Identity Provider (picked from the IdP config) and specify what are required / optional and if present what their values should be... Thanks & regards, -Prabath On Thu, Sep 17, 2015 at 6:01 PM, Lakshani Gamage <[email protected]> wrote: > Hi all, > > In App Manager, Users can subscribe in 2 ways. > > They are, > > 1. *Subscribe to an App *- This is a 'per user per app' subscription. For > each and every subscription, a database entry is created with user name and > application name (per user per application subscription) > > 2. *Enterprise Subscription* - If users with internal/store-admin role > enabled an enterprise subscription to an app, all the users who are > authenticated through the added provider can directly enter their > credentials and access the Web app as they are automatically subscribed to > the app through enterprise subscription. > Here, there are no per user per app entries in the database but only per > SP entries. > > For App manager, different kinds of IDPs can be configured as the IDP. In > those IDPs, users are categorized based on several policies. (Ex: WSO2 IS > uses 'roles' to categorize users). > > In current implementation of enterprise subscription, all the users in > IDP are subscribed to application without considering the user categories. > > From the bulk subscription feature, specific user category/categories > are subscribed to the application. > > Thanks, > -- > Lakshani Gamage > > *Software Engineer* > Mobile : +94 (0) 71 5478184 <%2B94%20%280%29%20773%20451194> > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://blog.facilelogin.com http://blog.api-security.org
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
