Hi Ishara, Gayan, On Mon, Jan 23, 2017 at 9:46 AM, Ishara Karunarathna <[email protected]> wrote:
> Hi, > > In C5 already we have SCIM 2.0 for User and Group management (This is the > only user management REST API we provide) and not using SOAP base services > anymore. > > And for identity management also we are going to have REST API but not > SCIM based APIs. > So +1 for Gayans idea to use SCIM based API for those as well. > In IS 5.3.0 we implemented rest APIs for Identity Management features like Password Recovery and Self Registration. What are the advantages of using SCIM APIs to support Identity Mangement functionalites ? Thanks Isura. > > We can implement this in two steps. > 1. Convert these identity management APIs to use the SCIM request response > format. > 2. Implement as SCIM extensions. > > So +1 to start with the step 1 and later go with 2 > Thanks, > Ishara > > On Mon, Jan 23, 2017 at 8:40 AM, Sagara Gunathunga <[email protected]> > wrote: > >> >> >> On Mon, Jan 23, 2017 at 12:02 AM, Gayan Gunawardana <[email protected]> >> wrote: >> >>> Attaching missing images. >>> >>> >>> >>> >>> >>> >>> On Sun, Jan 22, 2017 at 11:49 PM, Gayan Gunawardana <[email protected]> >>> wrote: >>> >>>> SCIM Overview and Concept >>>> SCIM stands for “Simplified Cloud Identity Management” and later it has >>>> been changed to “System for Cross-domain Identity Management”. SCIM was >>>> originally developed for Cloud services, but according to later >>>> understanding decided that it was not bounded to Cloud and can be used >>>> purely on-premise scenarios as well. New name reflects above idea. >>>> >>>> Originally SCIM was developed with three main actors. >>>> >>>> - >>>> >>>> CSP: Cloud Service Provider >>>> - >>>> >>>> A CSP is the entity which is holding identities of end users and >>>> also provide services for user management. >>>> - >>>> >>>> ECS: Enterprise Cloud Subscriber >>>> - >>>> >>>> The ECS Actor is a single entity which is given administrative >>>> responsibility to manage other identity accounts. >>>> - >>>> >>>> CSU: Cloud Service User >>>> - >>>> >>>> A CSU represents the real cloud service end user. >>>> >>>> >>>> WSO2 Identity Server as a SCIM Provider >>>> According to new definition of SCIM (Sysem for Cross-domain Identity >>>> Management) WSO2 Identity Server also can act as SCIM provider which is >>>> similar to Cloud Service Provider. >>>> >>>> >>>> >>>> >>>> - >>>> >>>> WSO2 Identity Server >>>> - >>>> >>>> Similar to Cloud Service Provider. Provide services to manage >>>> end user identities. >>>> - >>>> >>>> Authorized Entity for Provisioning >>>> - >>>> >>>> Similar to Enterprise Cloud Subscriber. Authorized Entity will >>>> be single identity who has administrative privilege to manage end >>>> user >>>> accounts. >>>> - >>>> >>>> End User >>>> - Similar to Cloud Service User. >>>> >>>> >>>> How we have done things on C4 >>>> In C4 Up to Identity Server 5.3.0 we have been using SCIM only for >>>> provisioning users from external system to Identity Server (Inbound >>>> Provisioning). Also In C4 we have couple of SOAP services to manage user >>>> identities. >>>> >>>> UserAdmin: Used for Management Console user management operations. >>>> >>>> RemoteUserStoreManagerService: Manage user identities in user store >>>> remotely. >>>> >>>> UserInformationRecoveryService: Self signup, Username recovery, >>>> Password recovery >>>> >>>> Even though above services have been implemented for different >>>> objectives there are lot of duplicate efforts. For an example add user >>>> operation is included in all three services. Sometimes when you switch >>>> among different services for same functionality for an example >>>> UserInformationRecoveryService → registerUser to SCIM add user operation or >>>> UserAdmin add user operation you may find different data formats and >>>> performance issues due to different implementations. >>>> >>>> >>>> What is new for C5 ? >>>> What we are proposing new is reuse standard SCIM APIs for all user >>>> management functionalities. Since SCIM 2.0 provide more comprehensive user >>>> management functionalities we can build common layer to serve all user >>>> management use cases for different channels. Basically User Admin can >>>> manage other identity accounts via SCIM APIs without having separate >>>> implementation. >>>> >>> >> Handling users/groups is an important aspect of IS and we should expose >> these capabilities as a product API too, when industry adopted standard >> present we should not define our own APIs hence +1 to use SCIM. >> >> >>> >>>> Further we can extend the usage of SCIM for identity management >>>> functionalities as well. For an example we can achieve self sign up by >>>> sending anonymous SCIM request to SCIM '/Me' endpoint. >>>> >>> >> +1 explore more on this, BTW this feature should be align with >> self-signup feature of user-portal, I mean this should support same level >> of validation, verification, security etc. >> >> >>> For some use cases we may need to do custom implementation which might >>>> be out of SCIM specification. For an example SCIM does not allow to assign >>>> roles to user. >>>> >>> >> Can use SCIM extension model [1] [2] here ? >> >> >> [1] - https://tools.ietf.org/html/draft-scim-core-schema-00#section-4 >> [2] - http://wso2-oxygen-tank.10903.n7.nabble.com/Extending-SCIM >> -User-Schema-td80870.html >> >> Thanks ! >> >>> >>>> Finally what we want to achieve is alter multiple user management APIs >>>> like UserAdmin, RemoteUserStoreManagerService, >>>> UserInformationRecoveryService with standard SCIM APIs. >>>> >>>> Much appreciate your suggestions and feedbacks. >>>> >>> >> >> >> >> >> >> >> >>> >>>> Thanks, >>>> Gayan >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: [email protected] >>>> Mobile: +94 (71) 8020933 >>>> >>> >>> >>> >>> -- >>> Gayan Gunawardana >>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>> Email: [email protected] >>> Mobile: +94 (71) 8020933 >>> >> >> >> >> -- >> Sagara Gunathunga >> >> Associate Director / Architect; WSO2, Inc.; http://wso2.com >> V.P Apache Web Services; http://ws.apache.org/ >> Linkedin; http://www.linkedin.com/in/ssagara >> Blog ; http://ssagara.blogspot.com >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <+94%2071%20799%206791> > > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
