Hi,
On Wed, Mar 8, 2017 at 4:54 PM, Jochen Traunecker < [email protected]> wrote: > Hi all, > > please consider that it might become much more complex in some setups :-) > > There are real world setups in which “trust" is important - per each > individual claim. > > Some example among others: > > PROVIDED_BY: A claim is provided by some end user, administrator, service, > … Might get signed by the PROVIDER. > VERIFIED_BY: A claim provided by some user might get verified by some > party. Might be a chain. Might get signed by the VERIFYING party. > ISSUED_BY: The claim gets issues by typically an IdP. Might be a chain of > issuers in a federated setup. Might get signed, too. > Agree with Jochen, When we consider the trust of the claims these also a set of attributes that can be evaluated. And there is a ongoing effort on standardizing these properties in *Verifiable Claims Task Force* [1] [2] In the implementation I think we can start with the issuer (Immediate issuer) for both local and federated claims. -Ishara [1] https://w3c.github.io/vctf/ [2] http://opencreds.org/specs/source/use-cases/ > By that, it would be great to have some generic data structure around > (e.g. Key-Value) to persist this kind of meta-data. > > Please keep this in mind when introducing the concept of “Issuer”. > > Thanks, > Jochen > > On 7 March 2017 at 20:36:15, Prabath Siriwardena ([email protected]) wrote: > > +1 for issuer - but please plan this post IS 6.0.0 > > Thanks & regards, > -Prabath > > On Tue, Mar 7, 2017 at 11:16 AM, Johann Nallathamby <[email protected]> > wrote: > >> >> >> On Tue, Mar 7, 2017 at 2:12 PM, Ishara Karunarathna <[email protected]> >> wrote: >> >>> Hi Johan, >>> >>> >>> >>> On Mon, Feb 27, 2017 at 10:51 AM, Johann Nallathamby <[email protected]> >>> wrote: >>> >>>> In claims based identity management we MUST have a "Issuer" for each >>>> claim. Each claim is made by an issuer, and you trust the claim only as >>>> much as you trust the issuer. >>>> >>>> For example, you will trust a claim made by your organization's >>>> internal IDP connected to the internal identity store, more than you trust >>>> a claim made by the user himself. >>>> >>> Are we going to use this within the server. For example we can write a >>> policy using issuer of the claims. >>> >> >> Yes, that the idea. >> >> >>> >>> And do we expect to send these information to connecting service >>> providers. >>> if so it may be a custom attribute that we need to send to customers >>> such as authenticated IDP list. >>> >> >> Have to check the SAML2 spec properly, but I am thinking if it in fact >> supports this as part of the standard itself. Can we have multiple >> assertions in a SAML2 response with each assertion issued by a different >> issuer? Then there can be attribute statements under each assertion that >> can contain the claims issued by that particular issuer. >> >> We may be able to come up with something semantic that is similar for JWT >> (OIDC). >> >> The question that came to mind is how do we store the issuer values for >> the claims? Because the claims themselves are stored as attributes in LDAP >> user stores. Then how can we have a associated property for the attribute >> which specifies the issuer? What I thought was we should be able to use the >> issuer value for processing requests on the fly, e.g. authorization, etc. >> But if we want to store them we need to be able to use our multiple user >> domain feature to split the user profile by issuer and store in multiple >> identity stores. This way each identity store will contain attribute from >> one issuer if we want to provision them. I think most other implementation >> out there also mention their identity store as the issuer. >> >> Regards, >> Johann. >> >> >>> >>> -Ishara >>> >>> >>>> >>>> Our current "Claim" object model contains following attributes [1]. >>>> 1. Dialect URI >>>> 2. Claim URI >>>> 3. Value >>>> >>>> Can we add "Issuer" attribute also to this model? >>>> >>>> [1] https://github.com/wso2/carbon-identity-mgt/blob/master/ >>>> components/org.wso2.carbon.identity.mgt/src/main/java/org/ws >>>> o2/carbon/identity/mgt/claim/Claim.java >>>> >>>> Regards, >>>> Johann. >>>> >>>> -- >>>> >>>> *Johann Dilantha Nallathamby* >>>> Technical Lead & Product Lead of WSO2 Identity Server >>>> Governance Technologies Team >>>> WSO2, Inc. >>>> lean.enterprise.middleware >>>> >>>> Mobile - *+94777776950* >>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>> >>> >>> >>> >>> -- >>> Ishara Karunarathna >>> Associate Technical Lead >>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>> >>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>> +94717996791 <+94%2071%20799%206791> >>> >>> >>> >> >> >> -- >> Thanks & Regards, >> >> *Johann Dilantha Nallathamby* >> Technical Lead & Product Lead of WSO2 Identity Server >> Governance Technologies Team >> WSO2, Inc. >> lean.enterprise.middleware >> >> Mobile - *+94777776950* >> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >> > > > > -- > Thanks & Regards, > Prabath > > Twitter : @prabath > LinkedIn : http://www.linkedin.com/in/prabathsiriwardena > > Mobile : +1 650 625 7950 <%28650%29%20625-7950> > > http://facilelogin.com > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
