Hi, In C5 already we have SCIM 2.0 for User and Group management (This is the only user management REST API we provide) and not using SOAP base services anymore.
And for identity management also we are going to have REST API but not SCIM based APIs. So +1 for Gayans idea to use SCIM based API for those as well. We can implement this in two steps. 1. Convert these identity management APIs to use the SCIM request response format. 2. Implement as SCIM extensions. So +1 to start with the step 1 and later go with 2 Thanks, Ishara On Mon, Jan 23, 2017 at 8:40 AM, Sagara Gunathunga <[email protected]> wrote: > > > On Mon, Jan 23, 2017 at 12:02 AM, Gayan Gunawardana <[email protected]> > wrote: > >> Attaching missing images. >> >> >> >> >> >> >> On Sun, Jan 22, 2017 at 11:49 PM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> SCIM Overview and Concept >>> SCIM stands for “Simplified Cloud Identity Management” and later it has >>> been changed to “System for Cross-domain Identity Management”. SCIM was >>> originally developed for Cloud services, but according to later >>> understanding decided that it was not bounded to Cloud and can be used >>> purely on-premise scenarios as well. New name reflects above idea. >>> >>> Originally SCIM was developed with three main actors. >>> >>> - >>> >>> CSP: Cloud Service Provider >>> - >>> >>> A CSP is the entity which is holding identities of end users and >>> also provide services for user management. >>> - >>> >>> ECS: Enterprise Cloud Subscriber >>> - >>> >>> The ECS Actor is a single entity which is given administrative >>> responsibility to manage other identity accounts. >>> - >>> >>> CSU: Cloud Service User >>> - >>> >>> A CSU represents the real cloud service end user. >>> >>> >>> WSO2 Identity Server as a SCIM Provider >>> According to new definition of SCIM (Sysem for Cross-domain Identity >>> Management) WSO2 Identity Server also can act as SCIM provider which is >>> similar to Cloud Service Provider. >>> >>> >>> >>> >>> - >>> >>> WSO2 Identity Server >>> - >>> >>> Similar to Cloud Service Provider. Provide services to manage end >>> user identities. >>> - >>> >>> Authorized Entity for Provisioning >>> - >>> >>> Similar to Enterprise Cloud Subscriber. Authorized Entity will >>> be single identity who has administrative privilege to manage end user >>> accounts. >>> - >>> >>> End User >>> - Similar to Cloud Service User. >>> >>> >>> How we have done things on C4 >>> In C4 Up to Identity Server 5.3.0 we have been using SCIM only for >>> provisioning users from external system to Identity Server (Inbound >>> Provisioning). Also In C4 we have couple of SOAP services to manage user >>> identities. >>> >>> UserAdmin: Used for Management Console user management operations. >>> >>> RemoteUserStoreManagerService: Manage user identities in user store >>> remotely. >>> >>> UserInformationRecoveryService: Self signup, Username recovery, >>> Password recovery >>> >>> Even though above services have been implemented for different >>> objectives there are lot of duplicate efforts. For an example add user >>> operation is included in all three services. Sometimes when you switch >>> among different services for same functionality for an example >>> UserInformationRecoveryService → registerUser to SCIM add user operation or >>> UserAdmin add user operation you may find different data formats and >>> performance issues due to different implementations. >>> >>> >>> What is new for C5 ? >>> What we are proposing new is reuse standard SCIM APIs for all user >>> management functionalities. Since SCIM 2.0 provide more comprehensive user >>> management functionalities we can build common layer to serve all user >>> management use cases for different channels. Basically User Admin can >>> manage other identity accounts via SCIM APIs without having separate >>> implementation. >>> >> > Handling users/groups is an important aspect of IS and we should expose > these capabilities as a product API too, when industry adopted standard > present we should not define our own APIs hence +1 to use SCIM. > > >> >>> Further we can extend the usage of SCIM for identity management >>> functionalities as well. For an example we can achieve self sign up by >>> sending anonymous SCIM request to SCIM '/Me' endpoint. >>> >> > +1 explore more on this, BTW this feature should be align with self-signup > feature of user-portal, I mean this should support same level of > validation, verification, security etc. > > >> For some use cases we may need to do custom implementation which might be >>> out of SCIM specification. For an example SCIM does not allow to assign >>> roles to user. >>> >> > Can use SCIM extension model [1] [2] here ? > > > [1] - https://tools.ietf.org/html/draft-scim-core-schema-00#section-4 > [2] - http://wso2-oxygen-tank.10903.n7.nabble.com/Extending- > SCIM-User-Schema-td80870.html > > Thanks ! > >> >>> Finally what we want to achieve is alter multiple user management APIs >>> like UserAdmin, RemoteUserStoreManagerService, >>> UserInformationRecoveryService with standard SCIM APIs. >>> >>> Much appreciate your suggestions and feedbacks. >>> >> > > > > > > > >> >>> Thanks, >>> Gayan >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >> >> >> >> -- >> Gayan Gunawardana >> Software Engineer; WSO2 Inc.; http://wso2.com/ >> Email: [email protected] >> Mobile: +94 (71) 8020933 >> > > > > -- > Sagara Gunathunga > > Associate Director / Architect; WSO2, Inc.; http://wso2.com > V.P Apache Web Services; http://ws.apache.org/ > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
