HI, On Mon, Aug 8, 2016 at 5:51 PM, Dinusha Senanayaka <[email protected]> wrote:
> > > On Mon, Aug 8, 2016 at 5:43 PM, Ishara Karunarathna <[email protected]> > wrote: > >> Hi Rushmin, >> >> On Mon, Aug 8, 2016 at 5:26 PM, Rushmin Fernando <[email protected]> >> wrote: >> >>> Hi Ishara, >>> >>> We are currently using the following two admin services to create >>> service providers. >>> >>> IdentitySAMLSSOConfigService >>> IdentityApplicationManagementService >>> >> admin/manage >> >> permission should be there for both services >> >> hmm .. admin/manage is admin rights ? This mean we need to assign admin >> rights to publisher. :( . Is there any possibility of adding fine grained >> permission for these two services as well, similar to XACML services ? >> > Nop, Only manage permission is enough . I just mention the permission path to mange permission > > Regards, > Dinusha. > >> >>> If we are to follow the above SAML authenticator method for this as >>> well, what are the permissions should a role have ? >>> >>> Regards >>> Rushmin >>> >>> On Mon, Aug 8, 2016 at 5:18 PM, Lahiru Cooray <[email protected]> wrote: >>> >>>> Hi Ishara, >>>> Thanks a lot for the info.. >>>> >>>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <[email protected]> >>>> wrote: >>>> >>>>> Hi Dinusha, >>>>> >>>>> In this case I think publisher user should be able to create those SP, >>>>> XACML policies etc. >>>>> Since publisher use is within the publisher role you can assign >>>>> necessary permission to that role. >>>>> Once user login (SSO) to publisher with his credential he can get a >>>>> cookie for that >>>>> and he can use that cookie to authenticate to the admin services. >>>>> >>>>> @Rushmin, >>>>> We don't have a authenticator for OAuth token. Better to get a ID >>>>> token using OIDC or after validating OAuth token >>>>> and create a carbon authenticator like saml carbon authenticator. >>>>> >>>>> Thanks, >>>>> Ishara >>>>> >>>>> >>>>> >>>>> >>>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <[email protected]> >>>>> wrote: >>>>> >>>>>> In addition to creating these entries from the UI, we need to create >>>>>> the same using our ReST API as well. And the API is OAuth protected. >>>>>> >>>>>> Is there an authenticator which gives back a cookie for an OAuth >>>>>> token as well ? >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <[email protected] >>>>>> > wrote: >>>>>> >>>>>>> Hi Lahiru. >>>>>>> >>>>>>> >>>>>>> Its not the admin user.User trying to do this operation should have >>>>>>> enough permission to do this. >>>>>>> >>>>>>> Use >>>>>>> >>>>>>> >>>>>>> >>>>>>> *entitlement/policy/view* >>>>>>> >>>>>>> Add this permission to the user who is trying to view those policies. >>>>>>> >>>>>>> >>>>>>> BR, >>>>>>> >>>>>>> Ishara >>>>>>> >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> + [DEV] >>>>>>>> >>>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi all, >>>>>>>>> >>>>>>>>> *Current behaviour:* >>>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>>> admin >>>>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>>>> created >>>>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>>>> >>>>>>>>> *Problem:* >>>>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>>>> deploy these in relevant tenant spaces. So as a solution we have >>>>>>>>> tried to >>>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the >>>>>>>>> SAML response and use the same in subsequent service calls) but >>>>>>>>> figured >>>>>>>>> that this is not applicable for non admin users. >>>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>>>> create apps with XAML policies) >>>>>>>>> >>>>>>>>> Any suggestions for this would be highly appreciated! >>>>>>>>> >>>>>>>>> >>>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>>>>>>> >>>>>>>>> -- >>>>>>>>> *Lahiru Cooray* >>>>>>>>> Software Engineer >>>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>>> lean.enterprise.middleware >>>>>>>>> >>>>>>>>> Mobile: +94 715 654154 >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Lahiru Cooray* >>>>>>>> Software Engineer >>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile: +94 715 654154 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Ishara Karunarathna >>>>>>> Associate Technical Lead >>>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>>> >>>>>>> email: [email protected], blog: isharaaruna.blogspot.com, >>>>>>> mobile: +94717996791 >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> *Best Regards* >>>>>> >>>>>> *Rushmin Fernando* >>>>>> *Technical Lead* >>>>>> >>>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>>> >>>>>> mobile : +94772891266 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Ishara Karunarathna >>>>> Associate Technical Lead >>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>> >>>>> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >>>>> +94717996791 >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> *Lahiru Cooray* >>>> Software Engineer >>>> WSO2, Inc.;http://wso2.com/ >>>> lean.enterprise.middleware >>>> >>>> Mobile: +94 715 654154 >>>> >>> >>> >>> >>> -- >>> *Best Regards* >>> >>> *Rushmin Fernando* >>> *Technical Lead* >>> >>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>> >>> mobile : +94772891266 >>> >>> >>> >> >> >> -- >> Ishara Karunarathna >> Associate Technical Lead >> WSO2 Inc. - lean . enterprise . middleware | wso2.com >> >> email: [email protected], blog: isharaaruna.blogspot.com, mobile: >> +94717996791 >> >> >> > > > -- > Dinusha Dilrukshi > Associate Technical Lead > WSO2 Inc.: http://wso2.com/ > Mobile: +94725255071 > Blog: http://dinushasblog.blogspot.com/ > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: [email protected], blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
