Hi Johann, I have written a custom OSGI service that can be used to provision users based on the SAML response which i can contribute since it is reusable in any application that needs user provision.
Appreciate if you can suggest me suitable repository for this. Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Mon, Sep 5, 2016 at 10:47 PM, Ishara Cooray <[email protected]> wrote: > Thanks for all your inputs. > > This is an independent osgi service and it does not implement > CarbonServerAuthenticator because it needs to integrate with any jaggery > app such as apim store /publisher, greg store/publisher. > > Yes, it calls external java code(the provision service) from jaggery_acs > file and do jit operation. > It provisions users to a central location that can be configured as > 'ProvisioningDefaultUserstore' > > As the current scope this was written for the super tenant mode only. But > we can extend it to tenant mode as well. > > Thanks & Regards, > Ishara Cooray > Senior Software Engineer > Mobile : +9477 262 9512 > WSO2, Inc. | http://wso2.com/ > Lean . Enterprise . Middleware > > On Mon, Sep 5, 2016 at 7:36 PM, Sanjeewa Malalgoda <[email protected]> > wrote: > >> Even with current application implementation you may call external java >> code from jaggery_acs file and do jit operation. If need you may add >> assertion/ response validation from same java component. >> >> Did we think how this should work in multi tenants scenario. Do we >> provision users to central place or tenant defined user store? Then can >> they configure this per tenant basis? >> >> Thanks >> sanjeewa. >> >> Sent from my phone. >> >> On Sep 5, 2016 1:25 PM, "Johann Nallathamby" <[email protected]> wrote: >> >>> >>> >>> On Mon, Sep 5, 2016 at 1:19 PM, Malaka Silva <[email protected]> wrote: >>> >>>> Hi Ishara, >>>> >>>> I guess we can use application-authentication.xml for this purpose? >>>> >>>> We are maintaining the configs for local authenticators from store. >>>> >>> >>> This is the old carbon authenticators we are talking about. >>> application-authentication.xml is for the new authentication framework. >>> That won't work for this. >>> >>> >>>> >>>> On Mon, Sep 5, 2016 at 10:21 AM, Dimuthu Leelarathne <[email protected] >>>> > wrote: >>>> >>>>> >>>>> Hi Ishara, >>>>> >>>>> On Fri, Sep 2, 2016 at 11:19 AM, Ishara Cooray <[email protected]> >>>>> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> I thought of introducing a new Authenticator config to >>>>>> repository/conf/security/authenticators.xml >>>>>> And it will use only below properties to do the $Subject. >>>>>> >>>>>> <Authenticator name="JITPSAML2SSOAuthenticator" disabled="false"> >>>>>> <Priority>9</Priority> >>>>>> <Config> >>>>>> <Parameter name="RoleClaimAttribute">http >>>>>> ://wso2.org/claims/role</Parameter> >>>>>> <Parameter name="AttributeValueSeparator">,</Parameter> >>>>>> <Parameter name="JITUserProvisioning">true</Parameter> >>>>>> <Parameter name="ProvisioningDefaultUsers >>>>>> tore">PRIMARY</Parameter> >>>>>> </Config> >>>>>> </Authenticator> >>>>>> >>>>>> Any objections? >>>>>> >>>>> >>>>> I think the existing SAMLSSOAuthenticator should allow JIT >>>>> provisioning when we switch on a configuration. If we keep adding more and >>>>> more Authenticators for small functionalities it will be cluttered >>>>> collection in the end. The same happened to Carbon components. We have so >>>>> many components and can't make the head or tail out of it. >>>>> >>>>> thanks, >>>>> Dimuthu >>>>> >>>>> >>>>>> Thanks & Regards, >>>>>> Ishara Cooray >>>>>> Senior Software Engineer >>>>>> Mobile : +9477 262 9512 >>>>>> WSO2, Inc. | http://wso2.com/ >>>>>> Lean . Enterprise . Middleware >>>>>> >>>>>> On Wed, Aug 31, 2016 at 1:43 PM, Ishara Cooray <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> + Prabath, Johann >>>>>>> >>>>>>> Thanks & Regards, >>>>>>> Ishara Cooray >>>>>>> Senior Software Engineer >>>>>>> Mobile : +9477 262 9512 >>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>>> On Wed, Aug 31, 2016 at 1:27 PM, Pamod Sylvester <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Would it make sense to have it under "user-mgt.xml" ? >>>>>>>> >>>>>>>> On Wed, Aug 31, 2016 at 1:00 PM, Ishara Cooray <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> Hi, >>>>>>>>> I am working on the $Subject. >>>>>>>>> >>>>>>>>> *Motivation:* >>>>>>>>> I have a use case where i want to authorize users who are logged >>>>>>>>> into API publisher/ store but APIM does not have the access to >>>>>>>>> underline >>>>>>>>> user store. >>>>>>>>> >>>>>>>>> *Plan:* >>>>>>>>> The plan is to write an osgi service that should do the Just In >>>>>>>>> Time provisioning before the permission check to authorize the user. >>>>>>>>> And it >>>>>>>>> will get the roles from the SAML response and do the provisioning. >>>>>>>>> >>>>>>>>> But we will have to do the same role/permission mapping manually >>>>>>>>> for now. >>>>>>>>> >>>>>>>>> If we write a generic service we can plug it into any wso2 >>>>>>>>> product that need JIT provision initiated by the Service provider. >>>>>>>>> However we need to maintain few configurations here. >>>>>>>>> >>>>>>>>> 1. isServiceProvierInitiatedJITProvisioningEnabled >>>>>>>>> 2. User store to be provisioned >>>>>>>>> 3. Implementation class (extension point) >>>>>>>>> >>>>>>>>> What could be the best place to maintain this configuration if the >>>>>>>>> component is written as a generic component to any wso2 product? >>>>>>>>> >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Ishara Cooray >>>>>>>>> Senior Software Engineer >>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> _______________________________________________ >>>>>>>>> Architecture mailing list >>>>>>>>> [email protected] >>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> *Pamod Sylvester * >>>>>>>> >>>>>>>> *WSO2 Inc.; http://wso2.com <http://wso2.com>* >>>>>>>> cell: +94 77 7779495 >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> [email protected] >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> Architecture mailing list >>>>>> [email protected] >>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Dimuthu Leelarathne >>>>> Director, Solutions Architecture >>>>> >>>>> WSO2, Inc. (http://wso2.com) >>>>> email: [email protected] >>>>> Mobile: +94773661935 >>>>> Blog: http://muthulee.blogspot.com >>>>> >>>>> Lean . Enterprise . Middleware >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> Best Regards, >>>> >>>> Malaka Silva >>>> Senior Technical Lead >>>> M: +94 777 219 791 >>>> Tel : 94 11 214 5345 >>>> Fax :94 11 2145300 >>>> Skype : malaka.sampath.silva >>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77 >>>> Blog : http://mrmalakasilva.blogspot.com/ >>>> >>>> WSO2, Inc. >>>> lean . enterprise . middleware >>>> https://wso2.com/signature >>>> http://www.wso2.com/about/team/malaka-silva/ >>>> <http://wso2.com/about/team/malaka-silva/> >>>> https://store.wso2.com/store/ >>>> >>>> Don't make Trees rare, we should keep them with care >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >>> >>> >>> -- >>> Thanks & Regards, >>> >>> *Johann Dilantha Nallathamby* >>> Technical Lead & Product Lead of WSO2 Identity Server >>> Governance Technologies Team >>> WSO2, Inc. >>> lean.enterprise.middleware >>> >>> Mobile - *+94777776950* >>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>> >>> _______________________________________________ >>> Dev mailing list >>> [email protected] >>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>> >>> >> _______________________________________________ >> Architecture mailing list >> [email protected] >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
