Re: [Architecture] [IAM] Provisioning Users with Passwords when JIT Provisioning

2018-05-10 Thread Megala Uthayakumar 
Hi,

Following is the high level diagram of proposed design,

​
Claim handling should also be moved to Post Authentication handler, after
JIT provisioning handler as we get new claims from the user in JIT.

Following diagram shows the internal process logic of JIT handler

​Currently we do not have a consent page for JIT provisioning flow. With
this feature we will be including the consent page as well.

Thanks.

Regards,
Megala

On Wed, Apr 11, 2018 at 6:05 PM, Nuwan Dias  wrote:

> Thanks for explanations, the scenarios on when this is needed is now clear.
>
> On Wed, Apr 11, 2018 at 12:30 PM, Johann Nallathamby 
> wrote:
>
>> Hi Nuwan,
>>
>> On Wed, Apr 11, 2018 at 5:43 PM, Nuwan Dias  wrote:
>>
>>> Provisioning users with a known/proper password would make it possible
>>> for them to login/authenticate directly against IS without being
>>> authenticated against the federated IDP right?
>>>
>>
>> Yes. The requirement is to allow these users have a password in IS that
>> will be governed by the password policies in IS, and allow them to login to
>> applications using IS login.
>>
>>
>>> Do we really want to allow that?
>>>
>>
>> Yes, that is the requirement.
>>
>>
>>> If internal admins want to manage their accounts internally, or if we
>>> want users to login/authenticate to IS directly, why would they
>>> authenticate against a federated IDP in the first place?
>>>
>>
>> There are two use cases that need to have this capability.
>>
>> 1. Social sign-up - In some websites social signup (not login) is used as
>> a means of making the signup process easier, by providing the mandatory
>> user attributes, but at the end of it a password must be provisioned. After
>> this signup process the user will mostly login using IS. But in some
>> scenario social login will also continue to be there, so if the user uses
>> social login, we will automatically link that to the already provisioned
>> account.
>>
>> 2. Migrating users from a external IdP - The use case is where a company
>> has done an acquisition or merger, or simply has the need to centralize the
>> identity management, therefore wants to migrate all the identities from an
>> external IdP to IS, and eventually once all identities are migrated may be
>> disconnect the IdP even.
>>
>> Regards,
>> Johann.
>>
>>
>>> Why not create their user accounts in IS itself instead of federating?
>>>
>>
>> This won't work for the social signup use case. Even for the external IdP
>> migration use case, if it has to be done it has to be a manual bulk import
>> process. This is sometimes difficult to do because,
>> 1. We cannot get password from the external IdPs
>> 2. Even to do it as a bulk admin initiated forced password reset, with
>> the recent performance numbers we are seeing it is almost impossible to do
>> it.
>>
>> Therefore the better option is to do it on the fly when each user wants
>> to login to the application.
>>
>> Regards,
>> Johann.
>>
>>
>>> On Wed, Apr 11, 2018 at 9:51 AM, Menaka Jayawardena 
>>> wrote:
>>>
 Hi,

 In WSO2 Identity Server, users can be provisioned to the internal User
 store when the users are signing up with social accounts. But in this case,
 the users should always use the social login option to login to the
 application and the identity admins could not manage them as internal 
 users.

 The main idea of this feature is to provision the users with password
 so that a proper user account will be created in the identity server so
 that they can use the user name and password to login and the identity
 admins can manage the users as internal users.

 As per the Flash PC[1], we need to consider following aspects when
 implementing this feature.

 *1. Configuring password provisioning in the IDP level.*
 A new option can be provided in the Just-In-Time Provision section to
 enable/ disable provisioing with password.

 *2. Prompting a page to get the user claims and password*
 When a user is using social sign up, in the sign up flow, new page will
 be shown with the claims. The claims that are retrieved from the social
 signup response will be automatically populated. Users need to fill any
 mandatory claims that are missing in the request as well as they need to
 provide a valid password.


 *3. How multiple social accounts can be associated*This applies when
 we support multiple social signup options (Facebook, Google, Twitter etc).
 When a user has already signed up with one social account, after some
 time, he/she again tries to signup using a different account.
 As different social accounts use differnt ids for users, there shoul be
 a mechanism to map the values to the existing user.

 As a solution for this we can allow users to add their other social
 account details in the user profile. So, when the user is trying

[Architecture] WSO2 API Manager 2.2.0-update5 Released!

2018-05-10 Thread Rukshan Premathunga 
The WSO2 API Manager team is pleased to announce the release of version 2.2.
0-update5 of API Manager.

WSO2 API Manager is a platform for creating, managing, consuming and
monitoring APIs. It employs proven SOA best practices to solve a wide range
of APImanagement challenges such as API provisioning, API governance,
API security
and API monitoring. It combines some of the most powerful and mature
components of the WSO2's state-of-the-art Carbon platform to deliver a
smooth and end-to-end API management experience while catering to both
API publisher
and API consumer requirements.

WSO2 API Manager is comprised of several modules.

   - API Provider: Define new APIs and manage them
   - API Store: Browse published APIs and subscribe to them
   - API Gateway: The underlying API runtime based on WSO2 ESB
   - API Key Manager: Performs Key Generation and Key Validation
   functionalities
   - API Traffic Manager: Performs Rate Limiting of API Requests

For more information on WSO2 API Manager please visit http://wso2.com
/products/api-manager. Also, take a look at the online product documentation
.

Distributions
wso2am-2.2.0-update5.zip

ws02am-micro-gw-2.2.0-update5.zip


wso2am-analytics-2.2.0-update1.zip


How to Run

   1. Extract the downloaded zip
   2. Go to the bin directory in the extracted folder
   3. Run the wso2server.sh or wso2server.bat as appropriate
   4. Launch a web browser and navigate to https://localhost:9443/publisher to
   access the API publisher webapp
   5. Navigate to https://localhost:9443/store to access the API store
   6. Navigate to https://localhost:9443/admin to access Admin Portal
   7. Use "admin", "admin" as the username and password to login as an admin

Bug Fixes And Improvements in 2.2.0-update5

   - GitHub (Product-apim
   )

Known Issues

All the open issues pertaining to WSO2 API Manager are reported at the
following location:

   - GitHub (Product-apim
   
),
   (Carbon-apimgt
   
),
   (Analytics-apim
   )

How You Can ContributeMailing Lists

Join our mailing list and correspond with the developers directly.

   -

   Developer List: d...@wso2.org | Subscribe | Mail Archive
   -

   User List: u...@wso2.org | Subscribe | Mail Archive

Reporting Issues

We encourage you to report issues, documentation faults, and feature
requests regarding WSO2 API Manager through the public API Manager Git Repo
.

-- The WSO2 API Manager Team --

-- 
Rukshan Chathuranga.
WSO2, Inc.
+94711822074
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

Re: [Architecture] WSO2 IS/APIM : support Mutual TLS Profile for OAuth 2.0 ?

2018-05-10 Thread Youcef HILEM 
Hi Sathya,

We need to implement the regulatory requirements
(http://www.etsi.org/deliver/etsi_ts/102600_102699/10264003/02.01.01_60/ts_10264003v020101p.pdf),
in particular:
6.3 : REM Sender/REM Recipient Authentication
b) Enhanced: using enhanced authentication such as two factor authentication
mechanisms linked to a one time password;
c) Strong: mutual SSL authentication, which includes client’s side user
certificate; 


Can't access to
https://docs.wso2.com/display/IS550/Mutual+TLS+for+OAuth+Clients

Thanks
Youcef HILEM



--
Sent from: 
http://wso2-oxygen-tank.10903.n7.nabble.com/WSO2-Architecture-f62919.html
___
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture