I totally agree with Asela, and I have raised similar concerns before. What we are lacking here is what most end users and customers would consider as basic security features. Even though we use the name "Identity Management", those features are basically part of secure user-management.
On Wed, Feb 7, 2018 at 11:12 AM, Asela Pathberiya <as...@wso2.com> wrote: > > Guys, I do not think you have understood what i am pointing here. > > Lets me explain it clearly > > Say; i have a distributed setup which contains APIM GW + APIM > (store/publisher) + KM (Here KM can be any OAuth2 authorization server). > > To achieve, user locking function for store users, You are asking me to > use WSO2 Identity server ? Therefore I need to externalize the > authentication + use WSO2IS for only that function. What is waste of it ? > It would cost me a lot. :) I do not want to spend more money on this APIM > project :D > > Also, if i am running with all in one deployment, it is also the same! > > > On Mon, Feb 5, 2018 at 8:08 PM, Sagara Gunathunga <sag...@wso2.com> wrote: > >> >> >> On Mon, Feb 5, 2018 at 12:56 PM, Nuwan Dias <nuw...@wso2.com> wrote: >> >>> >>> >>> On Mon, Feb 5, 2018 at 12:36 PM, Asela Pathberiya <as...@wso2.com> >>> wrote: >>> >>>> >>>> >>>> On Mon, Feb 5, 2018 at 12:10 PM, Nuwan Dias <nuw...@wso2.com> wrote: >>>> >>>>> As mentioned on the subject itself, these are Identity Management and >>>>> Identity Governance features. They don't closely tie in with API >>>>> Management. Therefore I think its fine to recommend IS for those kind of >>>>> use cases. >>>>> >>>>> Installing these features to APIM at this point in time is also a >>>>> problem due to its roadmap with 3.0. If we install these features into >>>>> APIM >>>>> users will see these as first class features of our APIM offering, they >>>>> won't see this as something coming from IS. >>>>> >>>> >>>> APIM store is public facing for end users. It already supports for >>>> user registration which is also identity management feature. It is a >>>> question, why can't it support features such as password >>>> recovery/policies/email activation by default. >>>> >>> >>> Its not that it can't. Its a question of where do we draw the line >>> between IS and APIM. My opinion is that the current user registration (with >>> workflow support) and password reset options are just enough for the OOTB >>> product. >>> >> > It is not enough when public user registrations are supported. You need > to have proper password management & account locking to support advance > security features. You would be surely caught with DoS attacks/Security > scanning would be failed > > >> You can have many more scenarios than listed above. Such as Login with >>> Facebook, Multifactor Authentication, etc and the list could go on. I think >>> its fine to ask users to integrate with IS for advanced scenarios. >>> >> > Yes! If it is needed the federation, it is fine to use the WSO2IS as auth > manager as it is advance use case as users are not governed by the APIM > user store. > > >> >> We have very clear boundaries between API-M and IS, this is the whole >> point for maintaining IS as the key manager profile so that users can get >> both IS and KM capabilities from a single runtime, I don't see any valid >> point to make API-M runtime more complicate by adding some random IS >> features (in this case Identity Governance features) hence I'm also -1 for >> original suggestion. >> > > There are not just random feature! You need these when you have a public > user registration. > > > Thanks, > Asela. > > >> IMO two runtime concept we have today ( API-M KM and IS as KM ) is enough >> to cater simple API security requirements to complex IAM requirements. >> > >> Thanks ! >> >>> >>>> If product supports for public user registration, it must support for >>>> all other identity management features as well. >>>> >>>> Are we removing the user registration from APIM 3.0 ? >>>> >>> >>> No, that would be there. But we don't have plans to support anything >>> else. Since there's no C5 based IS yet, we are writing all the user >>> management capabilities from scratch to even get the basic functionality. >>> The need to support more and more scenarios would create a lot more work >>> than already planned. Risking its deadlines. >>> >>>> >>>> Thanks, >>>> Asela. >>>> >>>> >>>>> Which means that users would expect the same set of features on 3.0 as >>>>> well. Therefore I would be -1 to installing these features on APIM. >>>>> >>>>> On Mon, Feb 5, 2018 at 9:49 AM, Asela Pathberiya <as...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> There are several customers/users who are looking for $subject with >>>>>> APIM. Specially following features >>>>>> >>>>>> 1. Account lock/disable >>>>>> 2. Password/Account recovery >>>>>> 3. Password policies >>>>>> >>>>>> We are usually not recommending the feature installation. >>>>>> Therefore, shall we ship these features by default with APIM. >>>>>> >>>>>> However, we can suggests to use WSO2IS as KM, but we need to >>>>>> consider on >>>>>> >>>>>> 1. Cost on running WSO2IS (infra cost) >>>>>> 2. All in one deployment >>>>>> 3. First impression on the IAM feature list of APIM. >>>>>> >>>>>> WDYT ? >>>>>> >>>>>> Thanks, >>>>>> Asela. >>>>>> >>>>>> -- >>>>>> Thanks & Regards, >>>>>> Asela >>>>>> >>>>>> ATL >>>>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>>>> +358 449 228 979 >>>>>> >>>>>> http://soasecurity.org/ >>>>>> http://xacmlinfo.org/ >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Nuwan Dias >>>>> >>>>> Software Architect - WSO2, Inc. http://wso2.com >>>>> email : nuw...@wso2.com >>>>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>>>> >>>> >>>> >>>> >>>> -- >>>> Thanks & Regards, >>>> Asela >>>> >>>> ATL >>>> Mobile : +94 777 625 933 <+94%2077%20762%205933> >>>> +358 449 228 979 >>>> >>>> http://soasecurity.org/ >>>> http://xacmlinfo.org/ >>>> >>> >>> >>> >>> -- >>> Nuwan Dias >>> >>> Software Architect - WSO2, Inc. http://wso2.com >>> email : nuw...@wso2.com >>> Phone : +94 777 775 729 <+94%2077%20777%205729> >>> >>> _______________________________________________ >>> Architecture mailing list >>> Architecture@wso2.org >>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>> >>> >> >> >> -- >> Sagara Gunathunga >> >> Director; WSO2, Inc.; http://wso2.com >> Linkedin; http://www.linkedin.com/in/ssagara >> Blog ; http://ssagara.blogspot.com >> Mobile : +9471 <+94%2071%20565%209887>2149951 >> >> > > > -- > Thanks & Regards, > Asela > > ATL > Mobile : +94 777 625 933 <077%20762%205933> > +358 449 228 979 > > http://soasecurity.org/ > http://xacmlinfo.org/ > > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Thanks & Regards, Dulanja Liyanage Lead, Platform Security Team WSO2 Inc.
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
