On Sat, Mar 11, 2017 at 9:33 AM, Sewmini Jayaweera <[email protected]> wrote:
> > Hi Johann, > > Please see the inline comment. > > On Mon, Mar 6, 2017 at 3:09 AM, Johann Nallathamby <[email protected]> > wrote: > >> Hi All, >> >> Any foreign dialect that we define using claim management, must have two >> special attributes indicating the "userid" claim and the "role" claim. >> >> "userid" claim is required for use cases like authentication and >> provisioning. "role" claim is needed for role mapping and access control. >> >> In C4 we had this at the IDP configuration level. In C5, since we have >> extracted all the claim configuration from IDP to "claim management", and >> just refer to the dialect alone in IDP configuration, we need to identify >> these two special attributes also in the claim dialect management level. >> > > >> This configuration will be fixed for any real IDP. >> > Could you please clarify what you implied by fixed? > Meaning it is per dialect, not per SP or IDP. It can't change per SP/IDP. E.g. in SCIM 2.0 "userName" is the unique identifier. In OIDC "sub" is the unique identifier. Any SP/IDP using these dialects must conform to them. But what SP/IDPs can do is, using configuration in IS override the defaults. E.g. if a OpenID Connect SP wants a different claim other than the "sub" as the subject then s/he will configure the "Subject Claim" configuration in the SP, and get a different claim as the subject. This doesn't change the fact that "sub" is the unique identifier in the OpenID Connect dialect. But the particular SP has configured in such a way that s/he receives a different claim as the subject. Same may be true for a provisioning use case, with SCIM 2.0. Instead of using "userName" as the unique identifier at the external service provider, we could use some other claim. Regards, Johann. > > >> >> What are your ideas? >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > -- Thanks & Regards, *Johann Dilantha Nallathamby* Technical Lead & Product Lead of WSO2 Identity Server Governance Technologies Team WSO2, Inc. lean.enterprise.middleware Mobile - *+94777776950* Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
