+1 for issuer - but please plan this post IS 6.0.0 Thanks & regards, -Prabath
On Tue, Mar 7, 2017 at 11:16 AM, Johann Nallathamby <[email protected]> wrote: > > > On Tue, Mar 7, 2017 at 2:12 PM, Ishara Karunarathna <[email protected]> > wrote: > >> Hi Johan, >> >> >> >> On Mon, Feb 27, 2017 at 10:51 AM, Johann Nallathamby <[email protected]> >> wrote: >> >>> In claims based identity management we MUST have a "Issuer" for each >>> claim. Each claim is made by an issuer, and you trust the claim only as >>> much as you trust the issuer. >>> >>> For example, you will trust a claim made by your organization's internal >>> IDP connected to the internal identity store, more than you trust a claim >>> made by the user himself. >>> >> Are we going to use this within the server. For example we can write a >> policy using issuer of the claims. >> > > Yes, that the idea. > > >> >> And do we expect to send these information to connecting service >> providers. >> if so it may be a custom attribute that we need to send to customers such >> as authenticated IDP list. >> > > Have to check the SAML2 spec properly, but I am thinking if it in fact > supports this as part of the standard itself. Can we have multiple > assertions in a SAML2 response with each assertion issued by a different > issuer? Then there can be attribute statements under each assertion that > can contain the claims issued by that particular issuer. > > We may be able to come up with something semantic that is similar for JWT > (OIDC). > > The question that came to mind is how do we store the issuer values for > the claims? Because the claims themselves are stored as attributes in LDAP > user stores. Then how can we have a associated property for the attribute > which specifies the issuer? What I thought was we should be able to use the > issuer value for processing requests on the fly, e.g. authorization, etc. > But if we want to store them we need to be able to use our multiple user > domain feature to split the user profile by issuer and store in multiple > identity stores. This way each identity store will contain attribute from > one issuer if we want to provision them. I think most other implementation > out there also mention their identity store as the issuer. > > Regards, > Johann. > > >> >> -Ishara >> >> >>> >>> Our current "Claim" object model contains following attributes [1]. >>> 1. Dialect URI >>> 2. Claim URI >>> 3. Value >>> >>> Can we add "Issuer" attribute also to this model? >>> >>> [1] https://github.com/wso2/carbon-identity-mgt/blob/master/ >>> components/org.wso2.carbon.identity.mgt/src/main/java/org/ws >>> o2/carbon/identity/mgt/claim/Claim.java >>> >>> Regards, >>> Johann. >>> >>> -- >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 <+94%2071%20799%206791> >> >> >> > > > -- > Thanks & Regards, > > *Johann Dilantha Nallathamby* > Technical Lead & Product Lead of WSO2 Identity Server > Governance Technologies Team > WSO2, Inc. > lean.enterprise.middleware > > Mobile - *+94777776950* > Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* > -- Thanks & Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950 http://facilelogin.com
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
