What is a claim? *A "claim" is an identifier for an underlying identity store attribute . We prefer exposing identity store attributes to the to the application level components as claims rather than direct attributes, to abstract away the implementation details of the underlying identity store.*
In C4 we only had a static set of metadata for "claims". E.g. supproted-by-default, read-only, required, etc. With IS 5.3.0 in fact we have already given the ability to extend the set of metadata defined for a claim. In C4, we didn't have a specific object model for an underlying identity store attribute. E.g. uid, cn, mail, etc. Therefore we also didn't have support for metadata for identity store attributes, which has come up as a requirement in various points of time. E.g. data-type, read-only, regex, multi-valued, etc. Now we are starting with Claim Management for IS 6.0.0 on C5. After participating in several recent discussions, I can't help but realize the fact that all this time we have been working with some confusion regarding defining metadata for claims. I think the main confusion has been, all metadata related to attributes have been treated as claim metadata, which I don't think is correct anymore. I think we have 2 levels of metadata related to user attributes. *1. Identity Store Attribute metadata* Attributes are objects representing an attribute of the underlying Identity Store. E.g. uid, cn, mail, sAMAccountName, etc.These underlying attributes have metadata. E.g. data-type, read-only, regex, multi-valued, etc. *2. Attribute Profile metadata* Sometime back I sent a mail regarding this [1]. We are taking this up for IS 6.0.0 on C5. Basically what I am realizing more and more is that, claims don't have metadata by themselves, but they get metadata only when we attach them with a particular profile. Claims by themselves only have an identifier. Consider following example to understand more. It is quite simple but I hope you get the point. The LDAP connector supports an attribute called "sn". "sn" is a LDAP level optional attribute. So the attribute level meta property would be "required=false". However we've mapped this "sn" attribute to the native claim "http://wso2.org/claims/lastName";. According the discussion we had in [1], the "http://wso2.org/claims/lastName"; claim can be grouped under 2 attribute profiles. E.g. "self sign-up" and "jit provisioning". At the profile level we can say that " http://wso2.org/claims/lastName"; is required when doing "self sign-up" but not required when doing "jit provisioning". In summary, what I am trying to say is, we have connector attributes at the lowest level, these attributes can have metadata. We represent connector attributes as claim to the application level components. Claims don't need to have metadata by themselves; which is what we did wrong in previous IS versions. When claims are mapped to profiles each claim would have its own profile specific metadata. The profile specific metadata values may override certain values of the attribute metadata, as long as we comply with the most restrictive of the two (need more brainstorming on this point). [1] Multiple Attribute Profiles Support for IS in [email protected] Thanks and Regards. -- *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
