Hi All, On Tue, May 9, 2017 at 3:19 PM, Pushpalanka Jayawardhana <la...@wso2.com> wrote:
> Hi All, > > On Tue, May 9, 2017 at 3:05 PM, Ruwan Abeykoon <ruw...@wso2.com> wrote: > >> Hi All, >> +1 for making it simple. >> What I think is appending tenant domain irrespective of what claim used >> as subject id, when the parameter set to true; is the correct expectation. >> >> That will be true even if subject id is set as some unrealistic values >> such as gender or age. The realistic subject id should be unique within the >> tenant or user domain. >> >> @Hasanthi >> >> IMO as this is an option which can be decided by the user, if the >> user checked the check boxes we should append tenant domain and userstore >> domain to the subject identifier whether it is user name or not. If the >> user does not wish to append those domains he can use the default >> configurations. So shall we change the existing behavior? >> I guess the "user" mean as the tenant identity admin. If that case +1. >> > > Yes, +1 to append user store domain and tenant domain based on the > identity admin's selection. This option is to intentionally append the > domains or not whichever the claim it is. At the selection time doer is > aware of to which claim it is getting applied. > >> >> >> Cheers, >> Ruwan >> >> On Tue, May 9, 2017 at 2:48 PM, Hasanthi Purnima Dissanayake < >> hasan...@wso2.com> wrote: >> >>> Hi Maduranga, >>> >>> When we added this configuration, the expectation was to add the tenant >>>> domain to the subject identifier no matter what is used as the subject >>>> claim or it is a requested claim (it can be username or telephone number, >>>> if this is enabled tenant domain should be appended). If we deviate from >>>> this there can be lots of unexpected inconsistencies. >>> >>> >>> I have analyzed the source in IS 5.3.0 and the behavior is bit >>> different. We are appending the tenant domain and user domain only when the >>> subject identifier is user name [1]. Otherwise we are not appending them >>> [2]. IMO as this is an option which can be decided by the user, if the user >>> checked the check boxes we should append tenant domain and userstore domain >>> to the subject identifier whether it is user name or not. If the user does >>> not wish to append those domains he can use the default configurations. So >>> shall we change the existing behavior? >>> >>> WDYT? >>> >>> [1] https://github.com/wso2-attic/carbon-identity/blob/master/co >>> mponents/authentication-framework/org.wso2.carbon.identity.a >>> pplication.authentication.framework/src/main/java/org/wso2/ >>> carbon/identity/application/authentication/framework/ >>> model/AuthenticatedUser.java#L175 >>> [2]https://github.com/wso2-attic/carbon-identity/blob/master >>> /components/authentication-framework/org.wso2.carbon.identit >>> y.application.authentication.framework/src/main/java/org/ >>> wso2/carbon/identity/application/authentication/framework/model/ >>> AuthenticatedUser.java#L143 >>> >>> Thanks, >>> >>> Hasanthi Dissanayake >>> >>> Software Engineer | WSO2 >>> >>> E: hasan...@wso2.com >>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>> >>> On Fri, May 5, 2017 at 11:21 PM, Maduranga Siriwardena < >>> madura...@wso2.com> wrote: >>> >>>> Hi Hasanthi, >>>> >>>> When we added this configuration, the expectation was to add the tenant >>>> domain to the subject identifier no matter what is used as the subject >>>> claim or it is a requested claim (it can be username or telephone number, >>>> if this is enabled tenant domain should be appended). If we deviate from >>>> this there can be lots of unexpected inconsistencies. >>>> >>>> Thanks, >>>> >>>> Maduranga Siriwardena >>>> Senior Software Engineer >>>> WSO2 Inc; http://wso2.com/ >>>> >>>> On May 5, 2017 2:03 PM, "Isura Karunaratne" <is...@wso2.com> wrote: >>>> >>>>> Hi, >>>>> >>>>> On Fri, May 5, 2017 at 10:59 AM, Hasanthi Purnima Dissanayake < >>>>> hasan...@wso2.com> wrote: >>>>> >>>>>> Hi All, >>>>>> >>>>>> There are few jiras [1],[2],[3],[4] reported related to the above >>>>>> attribute and thought of discussing the expected behavior of this >>>>>> attribute. >>>>>> >>>>>> AFAIU if the above attribute is checked in both federated and local >>>>>> scenarios: >>>>>> - the tenant domain should append with the sub claim even when the >>>>>> username is added as a requested claim or username is set as the subject >>>>>> claim uri. >>>>>> >>>>> This is little bit tricky. If we think of an occasion without a local > association in a federated scenario, does it really make sense to append > our local user store domain or tenant domain to user name? I think it's an > invalid information, as a federated user is not present in our user stores > unless provisioned or associated. > > We can argue, if the SP is configured with federated authentication we > shouldn't select the above options. But the concerns around this become > more complex when we consider this together with multi-option > authentication. An SP can allow user to select authentication from either > local or federated. As such case we should be able to dynamically decide we > shouldn't be attaching user store and tenant names to federated user > attributes. WDYT? > I also agree with Lanka, we can append tenant domain only to the local claims so there won't be a issue with Federated claims. -Ishara > >>>>>> If the above attribute is unchecked : >>>>>> - The tenant domain should not append with the sub claim even when >>>>>> the user name is subject claim uri or a requested claim. >>>>>> >>>>> >>>>>> [1] https://wso2.org/jira/browse/IDENTITY-5013 >>>>>> [2] https://wso2.org/jira/browse/IDENTITY-4931 >>>>>> [3]https://wso2.org/jira/browse/IDENTITY-4956 >>>>>> [4]https://wso2.org/jira/browse/IDENTITY-4470 >>>>>> >>>>>> Please let me know if the behavior of this attribute is something >>>>>> different. >>>>>> >>>>> Yes. That is the behavior of 'Use tenant domain in local subject >>>>> identifier" attribute. >>>>> >>>>> Thanks >>>>> Isura. >>>>> >>>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Hasanthi Dissanayake >>>>>> >>>>>> Software Engineer | WSO2 >>>>>> >>>>>> E: hasan...@wso2.com >>>>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>>>>> >>>>>> _______________________________________________ >>>>>> Dev mailing list >>>>>> Dev@wso2.org >>>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Isura Dilhara Karunaratne* >>>>> Senior Software Engineer | WSO2 >>>>> Email: is...@wso2.com >>>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>>> Blog : http://isurad.blogspot.com/ >>>>> >>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> Dev@wso2.org >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>> >> >> >> -- >> >> *Ruwan Abeykoon* >> *Associate Director/Architect**,* >> *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * >> *lean.enterprise.middleware.* >> >> > > > -- > Pushpalanka. > -- > Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). > Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ > Mobile: +94779716248 > Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/ > pushpalanka/ | Twitter: @pushpalanka > > -- Ishara Karunarathna Associate Technical Lead WSO2 Inc. - lean . enterprise . middleware | wso2.com email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: +94717996791
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
