Hi All, Thanks for suggestions.
On Mon, Jan 23, 2017 at 5:14 PM, Isura Karunaratne <[email protected]> wrote: > Hi Ishara, Gayan, > > On Mon, Jan 23, 2017 at 9:46 AM, Ishara Karunarathna <[email protected]> > wrote: > >> Hi, >> >> In C5 already we have SCIM 2.0 for User and Group management (This is the >> only user management REST API we provide) and not using SOAP base services >> anymore. >> >> And for identity management also we are going to have REST API but not >> SCIM based APIs. >> So +1 for Gayans idea to use SCIM based API for those as well. >> > > In IS 5.3.0 we implemented rest APIs for Identity Management features like > Password Recovery and Self Registration. What are the advantages of using > SCIM APIs to support Identity Mangement functionalites ? > > Thanks > Isura. > >> >> We can implement this in two steps. >> 1. Convert these identity management APIs to use the SCIM request >> response format. >> 2. Implement as SCIM extensions. >> >> So +1 to start with the step 1 and later go with 2 >> Thanks, >> Ishara >> >> On Mon, Jan 23, 2017 at 8:40 AM, Sagara Gunathunga <[email protected]> >> wrote: >> >>> >>> >>> On Mon, Jan 23, 2017 at 12:02 AM, Gayan Gunawardana <[email protected]> >>> wrote: >>> >>>> Attaching missing images. >>>> >>>> >>>> >>>> >>>> >>>> >>>> On Sun, Jan 22, 2017 at 11:49 PM, Gayan Gunawardana <[email protected]> >>>> wrote: >>>> >>>>> SCIM Overview and Concept >>>>> SCIM stands for “Simplified Cloud Identity Management” and later it >>>>> has been changed to “System for Cross-domain Identity Management”. SCIM >>>>> was originally developed for Cloud services, but according to later >>>>> understanding decided that it was not bounded to Cloud and can be used >>>>> purely on-premise scenarios as well. New name reflects above idea. >>>>> >>>>> Originally SCIM was developed with three main actors. >>>>> >>>>> - >>>>> >>>>> CSP: Cloud Service Provider >>>>> - >>>>> >>>>> A CSP is the entity which is holding identities of end users >>>>> and also provide services for user management. >>>>> - >>>>> >>>>> ECS: Enterprise Cloud Subscriber >>>>> - >>>>> >>>>> The ECS Actor is a single entity which is given administrative >>>>> responsibility to manage other identity accounts. >>>>> - >>>>> >>>>> CSU: Cloud Service User >>>>> - >>>>> >>>>> A CSU represents the real cloud service end user. >>>>> >>>>> >>>>> WSO2 Identity Server as a SCIM Provider >>>>> According to new definition of SCIM (Sysem for Cross-domain Identity >>>>> Management) WSO2 Identity Server also can act as SCIM provider which is >>>>> similar to Cloud Service Provider. >>>>> >>>>> >>>>> >>>>> >>>>> - >>>>> >>>>> WSO2 Identity Server >>>>> - >>>>> >>>>> Similar to Cloud Service Provider. Provide services to manage >>>>> end user identities. >>>>> - >>>>> >>>>> Authorized Entity for Provisioning >>>>> - >>>>> >>>>> Similar to Enterprise Cloud Subscriber. Authorized Entity will >>>>> be single identity who has administrative privilege to manage end >>>>> user >>>>> accounts. >>>>> - >>>>> >>>>> End User >>>>> - Similar to Cloud Service User. >>>>> >>>>> >>>>> How we have done things on C4 >>>>> In C4 Up to Identity Server 5.3.0 we have been using SCIM only for >>>>> provisioning users from external system to Identity Server (Inbound >>>>> Provisioning). Also In C4 we have couple of SOAP services to manage user >>>>> identities. >>>>> >>>>> UserAdmin: Used for Management Console user management operations. >>>>> >>>>> RemoteUserStoreManagerService: Manage user identities in user store >>>>> remotely. >>>>> >>>>> UserInformationRecoveryService: Self signup, Username recovery, >>>>> Password recovery >>>>> >>>>> Even though above services have been implemented for different >>>>> objectives there are lot of duplicate efforts. For an example add user >>>>> operation is included in all three services. Sometimes when you switch >>>>> among different services for same functionality for an example >>>>> UserInformationRecoveryService → registerUser to SCIM add user operation >>>>> or >>>>> UserAdmin add user operation you may find different data formats and >>>>> performance issues due to different implementations. >>>>> >>>>> >>>>> What is new for C5 ? >>>>> What we are proposing new is reuse standard SCIM APIs for all user >>>>> management functionalities. Since SCIM 2.0 provide more comprehensive >>>>> user >>>>> management functionalities we can build common layer to serve all user >>>>> management use cases for different channels. Basically User Admin can >>>>> manage other identity accounts via SCIM APIs without having separate >>>>> implementation. >>>>> >>>> >>> Handling users/groups is an important aspect of IS and we should expose >>> these capabilities as a product API too, when industry adopted standard >>> present we should not define our own APIs hence +1 to use SCIM. >>> >>> >>>> >>>>> Further we can extend the usage of SCIM for identity management >>>>> functionalities as well. For an example we can achieve self sign up by >>>>> sending anonymous SCIM request to SCIM '/Me' endpoint. >>>>> >>>> >>> +1 explore more on this, BTW this feature should be align with >>> self-signup feature of user-portal, I mean this should support same level >>> of validation, verification, security etc. >>> >> Yes this is align with self-sign up feature[1] and security considerations also mentioned in [2]. [1] https://tools.ietf.org/html/rfc7644#section-3.11 [2] https://tools.ietf.org/html/rfc7644#section-7.6 > >>> >>>> For some use cases we may need to do custom implementation which might >>>>> be out of SCIM specification. For an example SCIM does not allow to assign >>>>> roles to user. >>>>> >>>> >>> Can use SCIM extension model [1] [2] here ? >>> >> Yes we already have extended schema "urn:scim:schemas:extension:wso2:1.0:wso2Extension" > >>> >>> [1] - https://tools.ietf.org/html/draft-scim-core-schema-00#section-4 >>> [2] - http://wso2-oxygen-tank.10903.n7.nabble.com/Extending-SCIM >>> -User-Schema-td80870.html >>> >>> Thanks ! >>> >>>> >>>>> Finally what we want to achieve is alter multiple user management APIs >>>>> like UserAdmin, RemoteUserStoreManagerService, >>>>> UserInformationRecoveryService with standard SCIM APIs. >>>>> >>>>> Much appreciate your suggestions and feedbacks. >>>>> >>>> >>> >>> >>> >>> >>> >>> >>> >>>> >>>>> Thanks, >>>>> Gayan >>>>> >>>>> -- >>>>> Gayan Gunawardana >>>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>>> Email: [email protected] >>>>> Mobile: +94 (71) 8020933 >>>>> >>>> >>>> >>>> >>>> -- >>>> Gayan Gunawardana >>>> Software Engineer; WSO2 Inc.; http://wso2.com/ >>>> Email: [email protected] >>>> Mobile: +94 (71) 8020933 >>>> >>> >>> >>> >>> -- >>> Sagara Gunathunga >>> >>> Associate Director / Architect; WSO2, Inc.; http://wso2.com >>> V.P Apache Web Services; http://ws.apache.org/ >>> Linkedin; http://www.linkedin.com/in/ssagara >>> Blog ; http://ssagara.blogspot.com >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Gayan Gunawardana Software Engineer; WSO2 Inc.; http://wso2.com/ Email: [email protected] Mobile: +94 (71) 8020933
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
