Hi All,
For the moment, as per the off-line discussion with Malithi and Johann, I
have tried to move the code to *identity-outbound-auth-samlsso*
to make this feature compatible with new identity framework.
But I have get the code [1] (without adding the changes related to this
feature) and replace the jar org.wso2.carbon.identity.
application.authenticator.samlsso-5.1.8.jar with org.wso2.carbon.identity.
authenticator.outbound.saml2sso-6.0.0-SNAPSHOT.jar in dropins directory and
try out the SSO scenario.
Where I have logged_in via avis, with the same SSO session couldn't login
with travelcoity. Got the error as below in the back end .
[2018-02-07 22:04:32,969] DEBUG
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
- Query string : SAMLRequest=nZNPb9pAEMXv%2FRTW3sHGoIauMBEFRUVKKwqkh96G9
RBvun%2FcnTVJvn12bWhR1SLU63jmzezvPU9uX7RKDuhIWlOwQT9jCRphS2keC%
2FawveuN2e303YRAq5rPGl%2BZNf5skHwyI0Lnw9jcGmo0ug26gxT
4sL4vWOV9zdNUWQGqsuT5OBtnqXdwwFCT%2FrUvrE4rq7H%
2FRDVLFkFRGvDtFXGYwrSkQWzjH0ajYRovILIsubNOYHtJwfagCFmyXBRMC%
2FtDAhixC6JKaolmp0ttNADsHnVldk%2FSygpCN62ASB7w9zxRg0tDHowvWJ4
Nxr0s72U328F7PhzxfNwf3oy%2Bs2TlrLfCqo%2FSdIAaZ7gFksQNaCTuBd%2FMPt%
2FzvJ%2FxXddE%2FNN2u%2BqtsZQOhWfJtxPsPMIO%2BA3xFu9lufq4m02PZrRHu%
2BsF4OQXm%2F7hwyQ9V%2Bz085p%2FCRLLxcoqKV6TmVL2ee4QfMDmXYOt
ERr85aWxIsvevm3ldXw6eTQBw2YV9b82oOReoitYt%2F2cSH4tkvTXzcdwYtkGJCTT44tP5l
bX4CRF6vgC0YX%2F2NIt4efKcxWornF%2FJne1CRfbBBdROpRjVp%
2BtK2P2Qn6w3DowVFvnO9v%2Bes%2B0%2B%2FYvINOT4%2Bc%2F9PQN&SigAlg=http%3A%2F%
2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=
bcZoO0XXWmWtBnihuSERjfDuv6cyZU41Gxo5qXD5t4FM5NgtKAiRqDYgoVfYEGEOWukUwB054mZ%
2F4E69OK90rTh8q7p05xUmBxa1Z4GASfCxlpdfLPLCCVktJCYJXwHBVp38vz
EZGnxPhobNsZJYveZGEG2gHw4%2BZQWf8G%2BQw8%2F97yRoPb9Xh%
2F90xgkVtUIr2OZb5hvxLMr5yDnVMP9D3gAfTGkW%2F2YKQRDQMeSoVExVypZluccuEtZ9O
NUT15YI8ZM0JLCafP9vbKQ2wMuv3u6qRU5Q9mDFmMDYh1f7RQCwNOkhlBArk
eo3qdaPlTaeL3O9Z0sPgrDGaVtJcInXTw%3D%3D
[2018-02-07 22:04:32,973] DEBUG
{org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil}
- Request message <?xml version="1.0" encoding="UTF-8"?>
<samlp:AuthnRequest AssertionConsumerServiceURL="http://localhost:8080/
travelocity.com/home.jsp" Destination="https://is1.com:9443/samlsso";
ForceAuthn="false" ID="mcokiaancbomelimienbmdmnmaaabgmhnbjioiha"
IsPassive="false" IssueInstant="2018-02-07T16:34:28.374Z"
ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
Version="2.0" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol"><samlp:Issuer
xmlns:samlp="urn:oasis:names:tc:SAML:2.0:assertion">travelocity.com
</samlp:Issuer><saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
SPNameQualifier="Issuer" xmlns:saml2p="urn:oasis:names:
tc:SAML:2.0:protocol"/><saml2p:RequestedAuthnContext Comparison="exact"
xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml:AuthnContextClassRef
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:
oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</
saml:AuthnContextClassRef></saml2p:RequestedAuthnContext><
/samlp:AuthnRequest>
[2018-02-07 22:04:32,975] DEBUG {org.wso2.carbon.identity.sso.
saml.validators.SSOAuthnRequestAbstractValidator} - Thread local tenant
domain is set to: carbon.super
[2018-02-07 22:04:32,976] DEBUG {org.wso2.carbon.identity.sso.
saml.validators.SPInitSSOAuthnRequestValidator} - Authentication Request
Validation is successful..
[2018-02-07 22:04:32,981] ERROR {org.wso2.carbon.identity.
application.authentication.framework.handler.step.impl.DefaultStepHandler}
- Authenticator is null
[2018-02-07 22:04:32,986] DEBUG
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
- Query string : SAMLRequest=nZNPb9pAEMXv%2FRTW3sHGoIauMBEFRUVKKwqkh96G9
RBvun%2FcnTVJvn12bWhR1SLU63jmzezvPU9uX7RKDuhIWlOwQT9jCRphS2keC%
2FawveuN2e303YRAq5rPGl%2BZNf5skHwyI0Lnw9jcGmo0ug26gxT
4sL4vWOV9zdNUWQGqsuT5OBtnqXdwwFCT%2FrUvrE4rq7H%
2FRDVLFkFRGvDtFXGYwrSkQWzjH0ajYRovILIsubNOYHtJwfagCFmyXBRMC%
2FtDAhixC6JKaolmp0ttNADsHnVldk%2FSygpCN62ASB7w9zxRg0tDHowvWJ4
Nxr0s72U328F7PhzxfNwf3oy%2Bs2TlrLfCqo%2FSdIAaZ7gFksQNaCTuBd%2FMPt%
2FzvJ%2FxXddE%2FNN2u%2BqtsZQOhWfJtxPsPMIO%2BA3xFu9lufq4m02PZrRHu%
2BsF4OQXm%2F7hwyQ9V%2Bz085p%2FCRLLxcoqKV6TmVL2ee4QfMDmXYOt
ERr85aWxIsvevm3ldXw6eTQBw2YV9b82oOReoitYt%2F2cSH4tkvTXzcdwYtkGJCTT44tP5l
bX4CRF6vgC0YX%2F2NIt4efKcxWornF%2FJne1CRfbBBdROpRjVp%
2BtK2P2Qn6w3DowVFvnO9v%2Bes%2B0%2B%2FYvINOT4%2Bc%2F9PQN&SigAlg=http%3A%2F%
2Fwww.w3.org%2F2000%2F09%2Fxmldsig%23rsa-sha1&Signature=
bcZoO0XXWmWtBnihuSERjfDuv6cyZU41Gxo5qXD5t4FM5NgtKAiRqDYgoVfYEGEOWukUwB054mZ%
2F4E69OK90rTh8q7p05xUmBxa1Z4GASfCxlpdfLPLCCVktJCYJXwHBVp38vz
EZGnxPhobNsZJYveZGEG2gHw4%2BZQWf8G%2BQw8%2F97yRoPb9Xh%
2F90xgkVtUIr2OZb5hvxLMr5yDnVMP9D3gAfTGkW%2F2YKQRDQMeSoVExVypZluccuEtZ9O
NUT15YI8ZM0JLCafP9vbKQ2wMuv3u6qRU5Q9mDFmMDYh1f7RQCwNOkhlBArk
eo3qdaPlTaeL3O9Z0sPgrDGaVtJcInXTw%3D%3D
[2018-02-07 22:04:32,986] ERROR
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
- Cannot find AuthenticationResult from the cache
[2018-02-07 22:04:32,987] DEBUG
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
- No SaaS SAML service providers found for the issuer : travelocity.com.
Checking for SAML service providers registered in tenant domain :
carbon.super
[2018-02-07 22:04:32,987] DEBUG
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
- Authentication result data not found for key : 3ec4336c-d0cd-41d8-88d9-
829901db205b
[2018-02-07 22:04:32,987] ERROR
{org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet}
- Error when processing the authentication request!
org.wso2.carbon.identity.base.IdentityException: Could not find session
state information for issuer : travelocity.com in tenant domain :
carbon.super for session identifier : 3ec4336c-d0cd-41d8-88d9-829901db205b
at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
at sun.reflect.NativeConstructorAccessorImpl.newInstance(
NativeConstructorAccessorImpl.java:62)
at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(
DelegatingConstructorAccessorImpl.java:45)
at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
at org.wso2.carbon.identity.base.IdentityException.error(
IdentityException.java:71)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.
handleAuthenticationReponseFromFramework(SAMLSSOProviderServlet.java:865)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.
handleRequest(SAMLSSOProviderServlet.java:208)
at org.wso2.carbon.identity.sso.saml.servlet.
SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:106)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.
sendRequestToFramework(SAMLSSOProviderServlet.java:1244)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.
sendToFrameworkForAuthentication(SAMLSSOProviderServlet.java:571)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.
handleSPInitSSO(SAMLSSOProviderServlet.java:475)
at org.wso2.carbon.identity.sso.saml.servlet.SAMLSSOProviderServlet.
handleRequest(SAMLSSOProviderServlet.java:225)
at org.wso2.carbon.identity.sso.saml.servlet.
SAMLSSOProviderServlet.doGet(SAMLSSOProviderServlet.java:106)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(
ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.
ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.
processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.
service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.
service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(
WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.wso2.carbon.identity.captcha.filter.CaptchaFilter.
doFilter(CaptchaFilter.java:76)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.owasp.csrfguard.CsrfGuardFilter.doFilter(CsrfGuardFilter.java:72)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(
HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.
doFilter(CharacterSetFilter.java:65)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(
HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(
ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(
ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(
StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(
StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(
AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(
StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(
ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.
TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(
AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.
invoke(AuthenticationValve.java:60)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(
CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.
invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(
TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(
TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(
CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValv
e.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(
AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(
CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(
StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(
CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(
AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.
process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.
run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(
ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(
ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(
TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Please note that I have done the setup as follow for this feature and with
org.wso2.carbon.identity.application.authenticator.samlsso-5.1.8.jar able
to test the SSO earlier.
- Configured two IS pack (say IS1 - listen on is1.com:9443 and IS2 -
listen on localhost:9444).
- Configured the IS2 as trusted identity provider in IS1.
- Configured the IS1 as trusted service provider in IS2.
- Configured the travelocity app as service provider in IS1.
- Configured the avis app as service provider in IS2.
What could be the reason for this ? Am I missed any configuration here ?
[1] https://github.com/wso2-extensions/identity-outbound-auth-samlsso
Thanks,
Kanapriya
Kanapriya Kuleswararajan
Software Engineer
Mobile : - 0774894438
Mail : - [email protected]
LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
WSO2, Inc.
lean . enterprise . middleware
On Wed, Feb 7, 2018 at 2:41 PM, Johann Nallathamby <[email protected]> wrote:
>
>
> On Wed, Feb 7, 2018 at 2:33 PM, Malithi Edirisinghe <[email protected]>
> wrote:
>
>>
>>
>> On Wed, Feb 7, 2018 at 2:32 AM, Johann Nallathamby <[email protected]>
>> wrote:
>>
>>> It is in fact an inbound connector. So +1 to use the inbound framework
>>> and write a InboundProcessor to process this request. This way we can have
>>> an abstract FederatedIdPInitiatedLogoutProcessor (you may come up with
>>> a different name) that will handle the logout specific logic in
>>> authentication framework and extend it to multiple protocol specific
>>> processors which will handle protocol specific logout logic.
>>>
>>
>> Will we need a processor in the framework. Rather, I think there should
>> be a service in framework for session related operations like terminate
>> session, check if there's a valid session etc.
>> The protocol specific processor will handle requests and call the
>> framework service for session termination. Upon the specific operation in
>> framework service, framework will make sure to trigger other operation
>> specific tasks. For example, upon session termination trigger the session
>> termination event, do cleanups etc.
>> Introduction, of such a service will be useful for many other use cases I
>> think. For example, extend framework session, terminate session upon
>> critical events and all sub operations can be triggered centrally.
>> WDYT?
>>
>
> +1. That should be the ideal approach.
>
>
>>
>>
>>> Whether it should come inside identity-inbound-auth-saml or
>>> identity-outbound-auth-samlsso, I think will have to go with what the
>>> majority feels, because this use case is a hybrid between both, and the
>>> current naming convention of repos didn't take this into consideration when
>>> originally naming it. It can be argued both ways,
>>> 1. Since this is an inbound request to IS, it should go under
>>> identity-inbound-auth-saml
>>> 2. Since this is a dealing with the session between IS and federated
>>> IdP, and all the IdentityProvider module dependencies are in
>>> identity-outbound-auth-samlsso, and since authentication between SP -
>>> IS and IS - IDP should be decoupled, it should go under
>>> identity-outbound-auth-samlsso.
>>>
>>> Both the above seem to have equal amount of convincing power to me :).
>>> Technically I would prefer going with 2 above, accepting the fact that
>>> "outbound" part in the naming is not the best, because we didn't consider
>>> such use case in the begining and hoping one day we will rename the repo to
>>> be more accurate :).
>>>
>>> Regards,
>>> Johann.
>>>
>>> On Tue, Feb 6, 2018 at 11:47 PM, Hasintha Indrajee <[email protected]>
>>> wrote:
>>>
>>>> According to the analysis, it seems like logout requests from SPs and
>>>> logout requests from IDPs look similar. @Kanapriya, were you able to skim
>>>> through specs and see whether there are differences ?.
>>>>
>>>> Also on the other hand when we have a look towards our new framework,
>>>> this looks more like an inbound connector because the request is initiated
>>>> from a third party caller. Hence it's more inbound as per our framework.
>>>> WDYT ?. Also if we are to follow this approach we need to avoid going
>>>> through loops.
>>>>
>>>> On Tue, Feb 6, 2018 at 5:09 PM, Kanapriya Kuleswararajan <
>>>> [email protected]> wrote:
>>>>
>>>>> Hi All,
>>>>>
>>>>> For the POC [1], I have registered a new servlet in
>>>>> identity-outbound-auth-samlsso authenticator and try out the FIDP
>>>>> initiated
>>>>> logout flow by removing the session id which is associated with the
>>>>> earlier
>>>>> login.
>>>>>
>>>>> Now I have tried to move the POC [1] code to support with the new
>>>>> identity framework.
>>>>>
>>>>> Here, we have a concern that whether we need to move the code to the
>>>>> *identity-inbound-auth-saml* or *identity-outbound-auth-samlsso*.
>>>>>
>>>>> IMO, we need to handle the logout request which is initiated by FIDP
>>>>> inside identity-inbound-auth-saml. Please find the reasons for that :
>>>>>
>>>>> - Generally, whenever the request comes to IS from External
>>>>> system, it will be handle by the Inbound flow
>>>>> (identity-inbound-auth-saml).
>>>>> - I have configured IS with two service providers (Travelocity,
>>>>> Avis) and try out the logout flow.
>>>>> - Where I'm able to see the SAML Logout Request which is exactly
>>>>> same as SAML Logout Request which is initiated by FIDP.
>>>>> - Since both SAML Logout Request are same, we can move code to
>>>>> identity-inbound-auth-saml.
>>>>>
>>>>> Appreciate your thoughts on this.
>>>>>
>>>>> [1] Federated IdP Initiated Logout
>>>>>
>>>>> Thanks,
>>>>> Kanapriya
>>>>>
>>>>> Kanapriya Kuleswararajan
>>>>> Software Engineer
>>>>> Mobile : - 0774894438 <077%20489%204438>
>>>>> Mail : - [email protected]
>>>>> LinkedIn : - https://www.linkedin.com/in/kanapriya-kules-94712685/
>>>>> WSO2, Inc.
>>>>> lean . enterprise . middleware
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Hasintha Indrajee
>>>> WSO2, Inc.
>>>> Mobile:+94 771892453 <+94%2077%20189%202453>
>>>>
>>>>
>>>
>>>
>>> --
>>>
>>> *Johann Dilantha Nallathamby*
>>> Senior Lead Solutions Engineer
>>> WSO2, Inc.
>>> lean.enterprise.middleware
>>>
>>> Mobile: *+94 77 7776950*
>>> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
>>> <http://www.linkedin.com/in/johann-nallathamby>*
>>> Medium: *https://medium.com/@johann_nallathamby
>>> <https://medium.com/@johann_nallathamby>*
>>> Twitter: *@dj_nallaa*
>>>
>>
>>
>>
>> --
>>
>> *Malithi Edirisinghe*
>> Associate Technical Lead
>> WSO2 Inc.
>>
>> Mobile : +94 (0) 718176807
>> [email protected]
>>
>
>
>
> --
>
> *Johann Dilantha Nallathamby*
> Senior Lead Solutions Engineer
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile: *+94 77 7776950*
> LinkedIn: *http://www.linkedin.com/in/johann-nallathamby
> <http://www.linkedin.com/in/johann-nallathamby>*
> Medium: *https://medium.com/@johann_nallathamby
> <https://medium.com/@johann_nallathamby>*
> Twitter: *@dj_nallaa*
>
_______________________________________________
Architecture mailing list
[email protected]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
