Sent the half baked mail mistakenly On Wed, Sep 17, 2014 at 10:11 PM, Darshana Gunawardana <[email protected]> wrote:
> Hi Prasad and Asok, > > On Wed, Sep 17, 2014 at 7:04 PM, Asok Perera <[email protected]> wrote: > >> Thank you Prasad.. >> This is what I needed to get clarified >> >> *Asok Aravinda Perera* >> Software Engineer >> WSO2, Inc.;http://wso2.com/ >> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com%2F&sa=D&sntz=1&usg=AFQjCNGJuLRux6KkJwXKVUCYOtEsNCmIAQ> >> lean.enterprise.middleware >> >> Mobile: +94722241032 >> >> On Tue, Sep 16, 2014 at 2:08 AM, Prasad Tissera <[email protected]> wrote: >> >>> When a service provider created in IS, a role is created for that >>> service provider. If you want only user1 to access the app1 you can assign >>> the role only to the user1, and remove the role from super admin role list. >>> >> > This role is getting created when registering a Service Provider in IS. > And only users which have change this Service Provider configuration, the > relevant user should have that role. > * This role is getting created when registering a Service Provider in IS. And to change this Service Provider configuration, the relevant user should have that role. > Not having service provider role for a user, will not restrict from login > him to be log in. > In other words admin user will be able to login to both apps even admin do > not have any role which created when registering the Service Provider. > > >>> >>> >>> On Mon, Sep 15, 2014 at 4:34 AM, Asok Perera <[email protected]> wrote: >>> >>>> Thank you Pushpalanka ! >>>> But there is another clarification needed. >>>> What if a user needs to isolate two web apps ? Meaning, what if there >>>> 'cannot' be a super user sort of a logging (admin credentials) for two web >>>> apps which is secured through a single IS ? >>>> >>> > This is not straightforward but can be couple of ways to handle this... > One way will be considering this as authorization decision and handle it > from webapp side. From the SAML response you can get role list of > authenticated user and in webapp level it check that user have some > specific role. > > On the other hand If you have one set of users which have access to only > one app and another set of users which have access to only to other app, > you could have two tenants and divide two user set into two tenants. There > are some some tradeoff of this pattern due to tenant isolation. > > The most suited way we can decide when we have a more concrete use case. > > Regards, > Darshana > > >> >>>> BR >>>> >>>> >>>> >>>> *Asok Aravinda Perera* >>>> Software Engineer >>>> WSO2, Inc.;http://wso2.com/ >>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com%2F&sa=D&sntz=1&usg=AFQjCNGJuLRux6KkJwXKVUCYOtEsNCmIAQ> >>>> lean.enterprise.middleware >>>> >>>> Mobile: +94722241032 >>>> >>>> On Fri, Sep 12, 2014 at 10:15 AM, Pushpalanka Jayawardhana < >>>> [email protected]> wrote: >>>> >>>>> Hi Asok, >>>>> >>>>> This comes with the behavior of SSO. >>>>> When you register travelocity.com as a service provider in IS and >>>>> point travelocity.com webapp to use IS as the identity provider, >>>>> authentication process of webapp is totally handled by IS. >>>>> Even the page you enter username/password is submitted by IS. Webapp >>>>> does not have any idea on the valid user name and password of the user >>>>> trying to login as all these details are captured and authenticated at IS >>>>> side. IS then just let the webapp knows whether the user is authenticated >>>>> or not. >>>>> >>>>> This helps to keep the user passwords in a secured centralized place >>>>> than saving it in each webapp and helps to provide a better user >>>>> experience >>>>> by not asking users to type username/password several times(If you are >>>>> logged into IS, you are automatically logged into travelocity.com as >>>>> well.). >>>>> >>>>> Therefore any other user in IS also can login to travelocity.com >>>>> webapp with his/her credentials. >>>>> This article[1] will provide more insight. >>>>> Hope this helps. >>>>> >>>>> [1] - >>>>> http://wso2.com/library/articles/2010/07/saml2-web-browser-based-sso-wso2-identity-server/ >>>>> >>>>> Thanks, >>>>> Pushpalanka. >>>>> -- >>>>> Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). >>>>> Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ >>>>> Mobile: +94779716248 >>>>> Blog: pushpalankajaya.blogspot.com/ | LinkedIn: >>>>> lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka >>>>> >>>>> >>>>> On Fri, Sep 12, 2014 at 9:54 AM, Asok Perera <[email protected]> wrote: >>>>> >>>>>> Hi, >>>>>> >>>>>> This is a question occurred to me while working on 'Configuring SAML2 >>>>>> SSO' sample in Identity server. (link below) >>>>>> https://docs.wso2.com/display/IS500/Configuring+SAML2+SSO >>>>>> >>>>>> According to that sample, a user can log into service provider's >>>>>> site/portal with Identity server's admin credentials. In this case, one >>>>>> can >>>>>> use admin/admin username/password to log into travelocity.com. >>>>>> >>>>>> The question is, can I assume that IS admin is treated as a super >>>>>> user who can log into all the service providers' web apps / services ? >>>>>> If not, can somebody explain me why we can use admin credentials in >>>>>> the above sample ? >>>>>> >>>>>> BR >>>>>> >>>>>> *Asok Aravinda Perera* >>>>>> Software Engineer >>>>>> WSO2, Inc.;http://wso2.com/ >>>>>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com%2F&sa=D&sntz=1&usg=AFQjCNGJuLRux6KkJwXKVUCYOtEsNCmIAQ> >>>>>> lean.enterprise.middleware >>>>>> >>>>>> Mobile: +94722241032 >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> [email protected] >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Prasad Tissera >>> Software Engineer. >>> Mobile : +94777223444 >>> >> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Regards, > > > *Darshana Gunawardana*Software Engineer > WSO2 Inc.; http://wso2.com > > *E-mail: [email protected] <[email protected]>* > *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware > -- Regards, *Darshana Gunawardana*Software Engineer WSO2 Inc.; http://wso2.com *E-mail: [email protected] <[email protected]>* *Mobile: +94718566859 <%2B94718566859>*Lean . Enterprise . Middleware
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
