On Tue, Mar 7, 2017 at 2:12 PM, Ishara Karunarathna <[email protected]> wrote:
> Hi Johan, > > > > On Mon, Feb 27, 2017 at 10:51 AM, Johann Nallathamby <[email protected]> > wrote: > >> In claims based identity management we MUST have a "Issuer" for each >> claim. Each claim is made by an issuer, and you trust the claim only as >> much as you trust the issuer. >> >> For example, you will trust a claim made by your organization's internal >> IDP connected to the internal identity store, more than you trust a claim >> made by the user himself. >> > Are we going to use this within the server. For example we can write a > policy using issuer of the claims. > Yes, that the idea. > > And do we expect to send these information to connecting service providers. > if so it may be a custom attribute that we need to send to customers such > as authenticated IDP list. > Have to check the SAML2 spec properly, but I am thinking if it in fact supports this as part of the standard itself. Can we have multiple assertions in a SAML2 response with each assertion issued by a different issuer? Then there can be attribute statements under each assertion that can contain the claims issued by that particular issuer. We may be able to come up with something semantic that is similar for JWT (OIDC). The question that came to mind is how do we store the issuer values for the claims? Because the claims themselves are stored as attributes in LDAP user stores. Then how can we have a associated property for the attribute which specifies the issuer? What I thought was we should be able to use the issuer value for processing requests on the fly, e.g. authorization, etc. But if we want to store them we need to be able to use our multiple user domain feature to split the user profile by issuer and store in multiple identity stores. This way each identity store will contain attribute from one issuer if we want to provision them. I think most other implementation out there also mention their identity store as the issuer. Regards, Johann. > > -Ishara > > >> >> Our current "Claim" object model contains following attributes [1]. >> 1. Dialect URI >> 2. Claim URI >> 3. Value >> >> Can we add "Issuer" attribute also to this model? >> >> [1] https://github.com/wso2/carbon-identity-mgt/blob/master/ >> components/org.wso2.carbon.identity.mgt/src/main/java/org/ws >> o2/carbon/identity/mgt/claim/Claim.java >> >> Regards, >> Johann. >> >> -- >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: [email protected], blog: isharaaruna.blogspot.com, mobile: > +94717996791 <+94%2071%20799%206791> > > > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
