Hi Prasad and Asok, On Wed, Sep 17, 2014 at 7:04 PM, Asok Perera <as...@wso2.com> wrote:
> Thank you Prasad.. > This is what I needed to get clarified > > *Asok Aravinda Perera* > Software Engineer > WSO2, Inc.;http://wso2.com/ > <http://www.google.com/url?q=http%3A%2F%2Fwso2.com%2F&sa=D&sntz=1&usg=AFQjCNGJuLRux6KkJwXKVUCYOtEsNCmIAQ> > lean.enterprise.middleware > > Mobile: +94722241032 > > On Tue, Sep 16, 2014 at 2:08 AM, Prasad Tissera <pras...@wso2.com> wrote: > >> When a service provider created in IS, a role is created for that service >> provider. If you want only user1 to access the app1 you can assign the role >> only to the user1, and remove the role from super admin role list. >> > This role is getting created when registering a Service Provider in IS. And only users which have change this Service Provider configuration, the relevant user should have that role. Not having service provider role for a user, will not restrict from login him to be log in. In other words admin user will be able to login to both apps even admin do not have any role which created when registering the Service Provider. >> >> >> On Mon, Sep 15, 2014 at 4:34 AM, Asok Perera <as...@wso2.com> wrote: >> >>> Thank you Pushpalanka ! >>> But there is another clarification needed. >>> What if a user needs to isolate two web apps ? Meaning, what if there >>> 'cannot' be a super user sort of a logging (admin credentials) for two web >>> apps which is secured through a single IS ? >>> >> This is not straightforward but can be couple of ways to handle this... One way will be considering this as authorization decision and handle it from webapp side. From the SAML response you can get role list of authenticated user and in webapp level it check that user have some specific role. On the other hand If you have one set of users which have access to only one app and another set of users which have access to only to other app, you could have two tenants and divide two user set into two tenants. There are some some tradeoff of this pattern due to tenant isolation. The most suited way we can decide when we have a more concrete use case. Regards, Darshana > >>> BR >>> >>> >>> >>> *Asok Aravinda Perera* >>> Software Engineer >>> WSO2, Inc.;http://wso2.com/ >>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com%2F&sa=D&sntz=1&usg=AFQjCNGJuLRux6KkJwXKVUCYOtEsNCmIAQ> >>> lean.enterprise.middleware >>> >>> Mobile: +94722241032 >>> >>> On Fri, Sep 12, 2014 at 10:15 AM, Pushpalanka Jayawardhana < >>> la...@wso2.com> wrote: >>> >>>> Hi Asok, >>>> >>>> This comes with the behavior of SSO. >>>> When you register travelocity.com as a service provider in IS and >>>> point travelocity.com webapp to use IS as the identity provider, >>>> authentication process of webapp is totally handled by IS. >>>> Even the page you enter username/password is submitted by IS. Webapp >>>> does not have any idea on the valid user name and password of the user >>>> trying to login as all these details are captured and authenticated at IS >>>> side. IS then just let the webapp knows whether the user is authenticated >>>> or not. >>>> >>>> This helps to keep the user passwords in a secured centralized place >>>> than saving it in each webapp and helps to provide a better user experience >>>> by not asking users to type username/password several times(If you are >>>> logged into IS, you are automatically logged into travelocity.com as >>>> well.). >>>> >>>> Therefore any other user in IS also can login to travelocity.com >>>> webapp with his/her credentials. >>>> This article[1] will provide more insight. >>>> Hope this helps. >>>> >>>> [1] - >>>> http://wso2.com/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server/ >>>> >>>> Thanks, >>>> Pushpalanka. >>>> -- >>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>> Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>> Mobile: +94779716248 >>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>> >>>> >>>> On Fri, Sep 12, 2014 at 9:54 AM, Asok Perera <as...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> This is a question occurred to me while working on 'Configuring SAML2 >>>>> SSO' sample in Identity server. (link below) >>>>> https://docs.wso2.com/display/IS500/Configuring+SAML2+SSO >>>>> >>>>> According to that sample, a user can log into service provider's >>>>> site/portal with Identity server's admin credentials. In this case, one >>>>> can >>>>> use admin/admin username/password to log into travelocity.com. >>>>> >>>>> The question is, can I assume that IS admin is treated as a super user >>>>> who can log into all the service providers' web apps / services ? >>>>> If not, can somebody explain me why we can use admin credentials in >>>>> the above sample ? >>>>> >>>>> BR >>>>> >>>>> *Asok Aravinda Perera* >>>>> Software Engineer >>>>> WSO2, Inc.;http://wso2.com/ >>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com%2F&sa=D&sntz=1&usg=AFQjCNGJuLRux6KkJwXKVUCYOtEsNCmIAQ> >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile: +94722241032 >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>> >>> _______________________________________________ >>> Dev mailing list >>> Dev@wso2.org >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> >> >> -- >> Prasad Tissera >> Software Engineer. >> Mobile : +94777223444 >> > > > _______________________________________________ > Dev mailing list > Dev@wso2.org > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Regards, *Darshana Gunawardana*Software Engineer WSO2 Inc.; http://wso2.com *E-mail: darsh...@wso2.com <darsh...@wso2.com>* *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
