On Wed, Dec 7, 2016 at 7:12 AM, Thanuja Jayasinghe <[email protected]> wrote:
> Hi All,
>
> In the IS 6.0.0 Identity Store design we facilitate to have multiple user
> domains, each contains one or more identity/credential store connectors.
> Also, same identity/credential store connector may reside in two different
> domains. So there is a requirement to identify a user uniquely throughout
> the system.
>
I'm finding it hard to understand what is a domain and what is a connector
:). Are there mails explaining exactly what these are? Sorry if I've missed
them.
>
> *Approach One*
>
> Calculate unique user id as a combination of domain id and connector wise
> user mappings. Use a signing mechanism to ensure the integrity of the id.
>
> Ex: {domain-id}.{connector-id : connector-user-id}*.{digest-value} =>
> 12.{c1:[email protected]}{c2:78451244}.W4sU2s
>
> Pros:
>
> - Can verify the user without a database call by recalculating the
> digest value of the id.
> - Can identify the domain and connector wise mapping without a
> database call if server received the id.
>
> Cons:
>
> - If a connector added or removed from the domain, then the unique id
> will be a different one. So need to have a constraint there.
> - In a scenario where we have multiple connectors, during a user claim
> update, some connectors may be added to the id. Since when we create a user
> we may not add attributes to all the connectors.
> - Having a valid unique user id does not guarantee that user still
> exists in the system.
> - Unique id may be lengthy.
>
>
> *Approach Two*
>
> Calculate unique user id as a combination of domain id and a random UUID.
>
> Ex: {domain-id}.{random-uuid} => 12.A1j88KlmSKAl74
>
> Pros:
>
> - Can identify the domain without a database call.
> - Can add or remove connectors without changing the unique user id.
> - User claim update does not affect the unique user id value.
> - Fairly small id compared to the approach one.
>
>
> Cons:
>
> - Need a database call to get the connector mappings.
>
>
> It feels like approach two is more suitable for the identity store. WDYT?
>
> Thanks,
> Thanuja
>
> --
> *Thanuja Lakmal*
> Senior Software Engineer
> WSO2 Inc. http://wso2.com/
> *lean.enterprise.middleware*
> Mobile: +94715979891 +94758009992
>
> _______________________________________________
> Architecture mailing list
> [email protected]
> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
>
>
--
Nuwan Dias
Software Architect - WSO2, Inc. http://wso2.com
email : [email protected]
Phone : +94 777 775 729
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
