Hi, Thanks for the feedback. Please find the in-line comments.
On Wed, Sep 5, 2018 at 9:23 AM, gayan gunawardana <[email protected]> wrote: > Hi Indunil, > > In conclusion this will introduce "Local and Outbound Authentication > Configuration" to resident IDP UI and that will be the default > authentication sequence for tenant . > Is my understanding correct ? > Yes. In the resident IDP UI, there will be an option to edit the tenant wise default authentication sequence. Any way this will be very useful because some organizations don't want to > change their authentication flaw based on service provider + very difficult > to work with current file bases default SP. > > Thanks, > Gayan > > On Tue, Sep 4, 2018 at 10:22 PM Indunil Upeksha Rathnayake < > [email protected]> wrote: > >> Hi, >> >> On Tue, Sep 4, 2018 at 9:33 PM, Indunil Upeksha Rathnayake < >> [email protected]> wrote: >> >>> Hi, >>> >>> WSO2 Identity Server is currently capable of allowing a pre-configured >>> default authentication sequence with multi step or multi option >>> authentication, which can be globally applied for any of the service >>> provider. >>> >>> As per the current implementation of IS, there is a file based SP which >>> is considered as the default SP of IS (<IS_HOME>/repository/conf/ >>> identity/service-providers/default.xml). After IS 5.0.0, in order to >>> link the protocol specific applications to service provider concept, we >>> have introduced this default file based SP. So that, for an inbound >>> request, if there is no SP configurations can be found, the default SP of >>> IS will be considered. For a SP which is configured with default >>> authentication type as follows, we use local and outbound authentication >>> configuration of the default SP of IS. >>> >>> >>> >>> There are several drawbacks in current approach considering following >>> business use cases. >>> >>> 1. Capability to have an organizational wise default authentication >>> sequence which should be applicable for all the applications in an >>> organization. >>> 2. In the default authentication, apart from multi steps or multi >>> options, have secure and flexible form of authentication where we need to >>> validate multiple factors to determine the authenticity of a login >>> attempt, >>> before granting access to a resource. >>> 3. Furthermore, have support to do modifications to the default >>> authentication sequence in a user friendly manner, rather using file >>> based >>> approach. >>> >>> >>> In consideration of above use cases, the suggested approach is to >>> include following improvements to the current implementation. >>> >>> *Tenant specific default authentication sequence* >>> >>> - Local and outbound authentication configuration in default file >>> based SP will be considered as the global default authentication >>> sequence. >>> - Provide support to have tenant wise default authentication >>> sequences rather only a global sequence. So that, the global default >>> authentication sequence can be modified and use tenant wise. >>> - All the Service providers will be supporting new tenant specific >>> default authentication chain. If default authentication type is selected >>> for a SP, use the tenant specific default authentication configuration if >>> exists, or use the global authentication configuration. >>> >>> As further improvements, may include option to select already >> configured adaptive authentication script in an SP as the tenant default >> authentication >> sequence. So that will be override the existing tenant default sequence. >> >> *Adaptive authentication support for default authentication sequence* >>> >>> - Provide capability to include adaptive authentication scripts in >>> the default authentication chain. >>> >>> *Update default authentication sequence from UI* >>> >>> - Rather managing file based default authentication configuration, >>> include capability to do modifications from management console. >>> - Include capability to update the default authentication >>> configuration from resident IDP UI. >>> - The configurations will be initially loaded to UI, from file based >>> default SP and after a modification, those will be stored as resident IDP >>> meta data (i.e. IDP_METADATA table). >>> - Configuring adaptive authentication scripts from UI will be more >>> user friendly, since we can refer adaptive authentication templates as >>> well. >>> >>> >>> Really appreciate your suggestions and comments on this approach. >>> >>> Thanks and Regards >>> -- >>> Indunil Upeksha Rathnayake >>> Senior Software Engineer | WSO2 Inc >>> Email [email protected] >>> Mobile 0772182255 >>> >> >> >> >> -- >> Indunil Upeksha Rathnayake >> Senior Software Engineer | WSO2 Inc >> Email [email protected] >> Mobile 0772182255 >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> > > > -- > Gayan > > _______________________________________________ > Architecture mailing list > [email protected] > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > > -- Indunil Upeksha Rathnayake Senior Software Engineer | WSO2 Inc Email [email protected] Mobile 0772182255
_______________________________________________ Architecture mailing list [email protected] https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
