Hi Ishara, There is an extension point if the logic needs to be customized. where it can implement SAML2SSOUserProvisioner interface and override the provisionUser method.
And it can be configured in the configuration "SAML2SSOUserProvisionerImpl" that is used to get the impl class at runtime. Thanks & Regards, Ishara Cooray Senior Software Engineer Mobile : +9477 262 9512 WSO2, Inc. | http://wso2.com/ Lean . Enterprise . Middleware On Thu, Sep 29, 2016 at 1:15 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Ishara, > > Just noticed the thread. > Is there a extension point in this component to add any additional check. > Let say we define a policy to decide the condition that need to be > evaluate before doing the jit operation. > > If jit not available can we have that as well. > > Thanks, > Ishara > > On Mon, Sep 26, 2016 at 4:52 PM, Ishara Cooray <isha...@wso2.com> wrote: > >> Hi Johann, >> >> I have written a custom OSGI service that can be used to provision users >> based on the SAML response which i can contribute since it is reusable in >> any application that needs user provision. >> >> Appreciate if you can suggest me suitable repository for this. >> >> >> >> Thanks & Regards, >> Ishara Cooray >> Senior Software Engineer >> Mobile : +9477 262 9512 >> WSO2, Inc. | http://wso2.com/ >> Lean . Enterprise . Middleware >> >> On Mon, Sep 5, 2016 at 10:47 PM, Ishara Cooray <isha...@wso2.com> wrote: >> >>> Thanks for all your inputs. >>> >>> This is an independent osgi service and it does not implement >>> CarbonServerAuthenticator because it needs to integrate with any jaggery >>> app such as apim store /publisher, greg store/publisher. >>> >>> Yes, it calls external java code(the provision service) from jaggery_acs >>> file and do jit operation. >>> It provisions users to a central location that can be configured as >>> 'ProvisioningDefaultUserstore' >>> >>> As the current scope this was written for the super tenant mode only. >>> But we can extend it to tenant mode as well. >>> >>> Thanks & Regards, >>> Ishara Cooray >>> Senior Software Engineer >>> Mobile : +9477 262 9512 >>> WSO2, Inc. | http://wso2.com/ >>> Lean . Enterprise . Middleware >>> >>> On Mon, Sep 5, 2016 at 7:36 PM, Sanjeewa Malalgoda <sanje...@wso2.com> >>> wrote: >>> >>>> Even with current application implementation you may call external java >>>> code from jaggery_acs file and do jit operation. If need you may add >>>> assertion/ response validation from same java component. >>>> >>>> Did we think how this should work in multi tenants scenario. Do we >>>> provision users to central place or tenant defined user store? Then can >>>> they configure this per tenant basis? >>>> >>>> Thanks >>>> sanjeewa. >>>> >>>> Sent from my phone. >>>> >>>> On Sep 5, 2016 1:25 PM, "Johann Nallathamby" <joh...@wso2.com> wrote: >>>> >>>>> >>>>> >>>>> On Mon, Sep 5, 2016 at 1:19 PM, Malaka Silva <mal...@wso2.com> wrote: >>>>> >>>>>> Hi Ishara, >>>>>> >>>>>> I guess we can use application-authentication.xml for this purpose? >>>>>> >>>>>> We are maintaining the configs for local authenticators from store. >>>>>> >>>>> >>>>> This is the old carbon authenticators we are talking about. >>>>> application-authentication.xml is for the new authentication framework. >>>>> That won't work for this. >>>>> >>>>> >>>>>> >>>>>> On Mon, Sep 5, 2016 at 10:21 AM, Dimuthu Leelarathne < >>>>>> dimut...@wso2.com> wrote: >>>>>> >>>>>>> >>>>>>> Hi Ishara, >>>>>>> >>>>>>> On Fri, Sep 2, 2016 at 11:19 AM, Ishara Cooray <isha...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi All, >>>>>>>> >>>>>>>> I thought of introducing a new Authenticator config to >>>>>>>> repository/conf/security/authenticators.xml >>>>>>>> And it will use only below properties to do the $Subject. >>>>>>>> >>>>>>>> <Authenticator name="JITPSAML2SSOAuthenticator" >>>>>>>> disabled="false"> >>>>>>>> <Priority>9</Priority> >>>>>>>> <Config> >>>>>>>> <Parameter name="RoleClaimAttribute">http >>>>>>>> ://wso2.org/claims/role</Parameter> >>>>>>>> <Parameter name="AttributeValueSeparator">,</Parameter> >>>>>>>> <Parameter name="JITUserProvisioning">true</Parameter> >>>>>>>> <Parameter name="ProvisioningDefaultUsers >>>>>>>> tore">PRIMARY</Parameter> >>>>>>>> </Config> >>>>>>>> </Authenticator> >>>>>>>> >>>>>>>> Any objections? >>>>>>>> >>>>>>> >>>>>>> I think the existing SAMLSSOAuthenticator should allow JIT >>>>>>> provisioning when we switch on a configuration. If we keep adding more >>>>>>> and >>>>>>> more Authenticators for small functionalities it will be cluttered >>>>>>> collection in the end. The same happened to Carbon components. We have >>>>>>> so >>>>>>> many components and can't make the head or tail out of it. >>>>>>> >>>>>>> thanks, >>>>>>> Dimuthu >>>>>>> >>>>>>> >>>>>>>> Thanks & Regards, >>>>>>>> Ishara Cooray >>>>>>>> Senior Software Engineer >>>>>>>> Mobile : +9477 262 9512 >>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>> Lean . Enterprise . Middleware >>>>>>>> >>>>>>>> On Wed, Aug 31, 2016 at 1:43 PM, Ishara Cooray <isha...@wso2.com> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> + Prabath, Johann >>>>>>>>> >>>>>>>>> Thanks & Regards, >>>>>>>>> Ishara Cooray >>>>>>>>> Senior Software Engineer >>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>> >>>>>>>>> On Wed, Aug 31, 2016 at 1:27 PM, Pamod Sylvester <pa...@wso2.com> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Would it make sense to have it under "user-mgt.xml" ? >>>>>>>>>> >>>>>>>>>> On Wed, Aug 31, 2016 at 1:00 PM, Ishara Cooray <isha...@wso2.com> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> I am working on the $Subject. >>>>>>>>>>> >>>>>>>>>>> *Motivation:* >>>>>>>>>>> I have a use case where i want to authorize users who are logged >>>>>>>>>>> into API publisher/ store but APIM does not have the access to >>>>>>>>>>> underline >>>>>>>>>>> user store. >>>>>>>>>>> >>>>>>>>>>> *Plan:* >>>>>>>>>>> The plan is to write an osgi service that should do the Just In >>>>>>>>>>> Time provisioning before the permission check to authorize the >>>>>>>>>>> user. And it >>>>>>>>>>> will get the roles from the SAML response and do the provisioning. >>>>>>>>>>> >>>>>>>>>>> But we will have to do the same role/permission mapping manually >>>>>>>>>>> for now. >>>>>>>>>>> >>>>>>>>>>> If we write a generic service we can plug it into any wso2 >>>>>>>>>>> product that need JIT provision initiated by the Service provider. >>>>>>>>>>> However we need to maintain few configurations here. >>>>>>>>>>> >>>>>>>>>>> 1. isServiceProvierInitiatedJITProvisioningEnabled >>>>>>>>>>> 2. User store to be provisioned >>>>>>>>>>> 3. Implementation class (extension point) >>>>>>>>>>> >>>>>>>>>>> What could be the best place to maintain this configuration if >>>>>>>>>>> the component is written as a generic component to any wso2 product? >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Thanks & Regards, >>>>>>>>>>> Ishara Cooray >>>>>>>>>>> Senior Software Engineer >>>>>>>>>>> Mobile : +9477 262 9512 >>>>>>>>>>> WSO2, Inc. | http://wso2.com/ >>>>>>>>>>> Lean . Enterprise . Middleware >>>>>>>>>>> >>>>>>>>>>> _______________________________________________ >>>>>>>>>>> Architecture mailing list >>>>>>>>>>> architect...@wso2.org >>>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> *Pamod Sylvester * >>>>>>>>>> >>>>>>>>>> *WSO2 Inc.; http://wso2.com <http://wso2.com>* >>>>>>>>>> cell: +94 77 7779495 >>>>>>>>>> >>>>>>>>>> _______________________________________________ >>>>>>>>>> Architecture mailing list >>>>>>>>>> architect...@wso2.org >>>>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> _______________________________________________ >>>>>>>> Architecture mailing list >>>>>>>> architect...@wso2.org >>>>>>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>>>>>> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Dimuthu Leelarathne >>>>>>> Director, Solutions Architecture >>>>>>> >>>>>>> WSO2, Inc. (http://wso2.com) >>>>>>> email: dimut...@wso2.com >>>>>>> Mobile: +94773661935 >>>>>>> Blog: http://muthulee.blogspot.com >>>>>>> >>>>>>> Lean . Enterprise . Middleware >>>>>>> >>>>>>> _______________________________________________ >>>>>>> Dev mailing list >>>>>>> Dev@wso2.org >>>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>>> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> Best Regards, >>>>>> >>>>>> Malaka Silva >>>>>> Senior Technical Lead >>>>>> M: +94 777 219 791 >>>>>> Tel : 94 11 214 5345 >>>>>> Fax :94 11 2145300 >>>>>> Skype : malaka.sampath.silva >>>>>> LinkedIn : http://www.linkedin.com/pub/malaka-silva/6/33/77 >>>>>> Blog : http://mrmalakasilva.blogspot.com/ >>>>>> >>>>>> WSO2, Inc. >>>>>> lean . enterprise . middleware >>>>>> https://wso2.com/signature >>>>>> http://www.wso2.com/about/team/malaka-silva/ >>>>>> <http://wso2.com/about/team/malaka-silva/> >>>>>> https://store.wso2.com/store/ >>>>>> >>>>>> Don't make Trees rare, we should keep them with care >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> Thanks & Regards, >>>>> >>>>> *Johann Dilantha Nallathamby* >>>>> Technical Lead & Product Lead of WSO2 Identity Server >>>>> Governance Technologies Team >>>>> WSO2, Inc. >>>>> lean.enterprise.middleware >>>>> >>>>> Mobile - *+94777776950* >>>>> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>* >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> _______________________________________________ >>>> Architecture mailing list >>>> architect...@wso2.org >>>> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >>>> >>>> >>> >> >> _______________________________________________ >> Architecture mailing list >> architect...@wso2.org >> https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 > > > > _______________________________________________ > Architecture mailing list > architect...@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > >
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
