Guys, I do not think you have understood what i am pointing here. Lets me explain it clearly
Say; i have a distributed setup which contains APIM GW + APIM (store/publisher) + KM (Here KM can be any OAuth2 authorization server). To achieve, user locking function for store users, You are asking me to use WSO2 Identity server ? Therefore I need to externalize the authentication + use WSO2IS for only that function. What is waste of it ? It would cost me a lot. :) I do not want to spend more money on this APIM project :D Also, if i am running with all in one deployment, it is also the same! On Mon, Feb 5, 2018 at 8:08 PM, Sagara Gunathunga <[email protected]> wrote: > > > On Mon, Feb 5, 2018 at 12:56 PM, Nuwan Dias <[email protected]> wrote: > >> >> >> On Mon, Feb 5, 2018 at 12:36 PM, Asela Pathberiya <[email protected]> wrote: >> >>> >>> >>> On Mon, Feb 5, 2018 at 12:10 PM, Nuwan Dias <[email protected]> wrote: >>> >>>> As mentioned on the subject itself, these are Identity Management and >>>> Identity Governance features. They don't closely tie in with API >>>> Management. Therefore I think its fine to recommend IS for those kind of >>>> use cases. >>>> >>>> Installing these features to APIM at this point in time is also a >>>> problem due to its roadmap with 3.0. If we install these features into APIM >>>> users will see these as first class features of our APIM offering, they >>>> won't see this as something coming from IS. >>>> >>> >>> APIM store is public facing for end users. It already supports for user >>> registration which is also identity management feature. It is a question, >>> why can't it support features such as password recovery/policies/email >>> activation by default. >>> >> >> Its not that it can't. Its a question of where do we draw the line >> between IS and APIM. My opinion is that the current user registration (with >> workflow support) and password reset options are just enough for the OOTB >> product. >> > It is not enough when public user registrations are supported. You need to have proper password management & account locking to support advance security features. You would be surely caught with DoS attacks/Security scanning would be failed > You can have many more scenarios than listed above. Such as Login with >> Facebook, Multifactor Authentication, etc and the list could go on. I think >> its fine to ask users to integrate with IS for advanced scenarios. >> > Yes! If it is needed the federation, it is fine to use the WSO2IS as auth manager as it is advance use case as users are not governed by the APIM user store. > > We have very clear boundaries between API-M and IS, this is the whole > point for maintaining IS as the key manager profile so that users can get > both IS and KM capabilities from a single runtime, I don't see any valid > point to make API-M runtime more complicate by adding some random IS > features (in this case Identity Governance features) hence I'm also -1 for > original suggestion. > There are not just random feature! You need these when you have a public user registration. Thanks, Asela. > IMO two runtime concept we have today ( API-M KM and IS as KM ) is enough > to cater simple API security requirements to complex IAM requirements. > > Thanks ! > >> >>> If product supports for public user registration, it must support for >>> all other identity management features as well. >>> >>> Are we removing the user registration from APIM 3.0 ? >>> >> >> No, that would be there. But we don't have plans to support anything >> else. Since there's no C5 based IS yet, we are writing all the user >> management capabilities from scratch to even get the basic functionality. >> The need to support more and more scenarios would create a lot more work >> than already planned. Risking its deadlines. >> >>> >>> Thanks, >>> Asela. >>> >>> >>>> Which means that users would expect the same set of features on 3.0 as >>>> well. Therefore I would be -1 to installing these features on APIM. >>>> >>>> On Mon, Feb 5, 2018 at 9:49 AM, Asela Pathberiya <[email protected]> >>>> wrote: >>>> >>>>> Hi All, >>>>> >>>>> There are several customers/users who are looking for $subject with >>>>> APIM. Specially following features >>>>> >>>>> 1. Account lock/disable >>>>> 2. Password/Account recovery >>>>> 3. Password policies >>>>> >>>>> We are usually not recommending the feature installation. Therefore, >>>>> shall we ship these features by default with APIM. >>>>> >>>>> However, we can suggests to use WSO2IS as KM, but we need to consider >>>>> on >>>>> >>>>> 1. Cost on running WSO2IS (infra cost) >>>>> 2. All in one deployment >>>>> 3. First impression on the IAM feature list of APIM. >>>>> >>>>> WDYT ? >>>>> >>>>> Thanks, >>>>> Asela. >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> Asela >>>>> >>>>> ATL >>>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>>> +358 449 228 979 >>>>> >>>>> http://soasecurity.org/ >>>>> http://xacmlinfo.org/ >>>>> >>>> >>>> >>>> >>>> -- >>>> Nuwan Dias >>>> >>>> Software Architect - WSO2, Inc. http://wso2.com >>>> email : [email protected] >>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>> >>> >>> >>> >>> -- >>> Thanks & Regards, >>> Asela >>> >>> ATL >>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>> +358 449 228 979 >>> >>> http://soasecurity.org/ >>> http://xacmlinfo.org/ >>> >> >> >> >> -- >> Nuwan Dias >> >> Software Architect - WSO2, Inc. http://wso2.com >> email : [email protected] >> Phone : +94 777 775 729 <+94%2077%20777%205729> >> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Sagara Gunathunga > > Director; WSO2, Inc.; http://wso2.com > Linkedin; http://www.linkedin.com/in/ssagara > Blog ; http://ssagara.blogspot.com > Mobile : +9471 <+94%2071%20565%209887>2149951 > > -- Thanks & Regards, Asela ATL Mobile : +94 777 625 933 +358 449 228 979 http://soasecurity.org/ http://xacmlinfo.org/
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
