On Mon, Jan 23, 2017 at 12:02 AM, Gayan Gunawardana <[email protected]> wrote:
> Attaching missing images. > > > > > > > On Sun, Jan 22, 2017 at 11:49 PM, Gayan Gunawardana <[email protected]> > wrote: > >> SCIM Overview and Concept >> SCIM stands for “Simplified Cloud Identity Management” and later it has >> been changed to “System for Cross-domain Identity Management”. SCIM was >> originally developed for Cloud services, but according to later >> understanding decided that it was not bounded to Cloud and can be used >> purely on-premise scenarios as well. New name reflects above idea. >> >> Originally SCIM was developed with three main actors. >> >> - >> >> CSP: Cloud Service Provider >> - >> >> A CSP is the entity which is holding identities of end users and >> also provide services for user management. >> - >> >> ECS: Enterprise Cloud Subscriber >> - >> >> The ECS Actor is a single entity which is given administrative >> responsibility to manage other identity accounts. >> - >> >> CSU: Cloud Service User >> - >> >> A CSU represents the real cloud service end user. >> >> >> WSO2 Identity Server as a SCIM Provider >> According to new definition of SCIM (Sysem for Cross-domain Identity >> Management) WSO2 Identity Server also can act as SCIM provider which is >> similar to Cloud Service Provider. >> >> >> >> >> - >> >> WSO2 Identity Server >> - >> >> Similar to Cloud Service Provider. Provide services to manage end >> user identities. >> - >> >> Authorized Entity for Provisioning >> - >> >> Similar to Enterprise Cloud Subscriber. Authorized Entity will be >> single identity who has administrative privilege to manage end user >> accounts. >> - >> >> End User >> - Similar to Cloud Service User. >> >> >> How we have done things on C4 >> In C4 Up to Identity Server 5.3.0 we have been using SCIM only for >> provisioning users from external system to Identity Server (Inbound >> Provisioning). Also In C4 we have couple of SOAP services to manage user >> identities. >> >> UserAdmin: Used for Management Console user management operations. >> >> RemoteUserStoreManagerService: Manage user identities in user store >> remotely. >> >> UserInformationRecoveryService: Self signup, Username recovery, >> Password recovery >> >> Even though above services have been implemented for different objectives >> there are lot of duplicate efforts. For an example add user operation is >> included in all three services. Sometimes when you switch among different >> services for same functionality for an example >> UserInformationRecoveryService → registerUser to SCIM add user operation or >> UserAdmin add user operation you may find different data formats and >> performance issues due to different implementations. >> >> >> What is new for C5 ? >> What we are proposing new is reuse standard SCIM APIs for all user >> management functionalities. Since SCIM 2.0 provide more comprehensive user >> management functionalities we can build common layer to serve all user >> management use cases for different channels. Basically User Admin can >> manage other identity accounts via SCIM APIs without having separate >> implementation. >> > Handling users/groups is an important aspect of IS and we should expose these capabilities as a product API too, when industry adopted standard present we should not define our own APIs hence +1 to use SCIM. > >> Further we can extend the usage of SCIM for identity management >> functionalities as well. For an example we can achieve self sign up by >> sending anonymous SCIM request to SCIM '/Me' endpoint. >> > +1 explore more on this, BTW this feature should be align with self-signup feature of user-portal, I mean this should support same level of validation, verification, security etc. > For some use cases we may need to do custom implementation which might be >> out of SCIM specification. For an example SCIM does not allow to assign >> roles to user. >> > Can use SCIM extension model [1] [2] here ? [1] - https://tools.ietf.org/html/draft-scim-core-schema-00#section-4 [2] - http://wso2-oxygen-tank.10903.n7.nabble.com/Extending-SCIM-User-Schema-td80870.html Thanks ! > >> Finally what we want to achieve is alter multiple user management APIs >> like UserAdmin, RemoteUserStoreManagerService, >> UserInformationRecoveryService with standard SCIM APIs. >> >> Much appreciate your suggestions and feedbacks. >> > > >> Thanks, >> Gayan >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> > > > > -- > Gayan Gunawardana > Software Engineer; WSO2 Inc.; http://wso2.com/ > Email: [email protected] > Mobile: +94 (71) 8020933 > -- Sagara Gunathunga Associate Director / Architect; WSO2, Inc.; http://wso2.com V.P Apache Web Services; http://ws.apache.org/ Linkedin; http://www.linkedin.com/in/ssagara Blog ; http://ssagara.blogspot.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
