+1
This is what we plan in IS too - to make all the tokens JWT by default.
This approach also helps in multi-regional setups.
The drawback is the revocation. But we can find a workaround for that.
Thanks & Regards
-Prabath
On Mon, Jun 24, 2019 at 10:23 PM Nuwan Dias wrote:
> Hi,
>
> I've
+1 to go ahead with the release
Thanks & Regards
-Prabath
On Wed, May 15, 2019 at 1:06 AM Shanika Wickramasinghe
wrote:
> Hi All,
>
> I have tested the SAML SSO with POST binding and Redirect binding flows.
>
> +1 Go Ahead and Release
>
>
> Thanks,
>
> Shanika
>
>
> On Mon, May 13, 2019 at
Thanks Johann for the feedback... Yes, the consent management feature needs
improvement and will work on them..
It would be much helpful, if you can create git issues - so we won't miss
anything.
Thanks & Regards,
-Prabath
On Mon, Mar 25, 2019 at 5:18 AM Johann Nallathamby wrote:
> IAM Team,
I think we need to keep all complex provisioning logic outside IS as much
as possible. Not only transformation, but even reliable delivery. IMO we
can think about how microESB fits into these use cases.
Thanks & Regards
-Prabath
On Wed, Feb 20, 2019 at 1:09 AM Darshana Gunawardana
wrote:
> Hi
+1
Can you please create a new feature request - so we will not miss this
Thanks & regards
-Prabath
On Thu, Nov 1, 2018 at 1:24 AM Johann Nallathamby wrote:
> *Status Quo*
>
> Let's say there are two legitimate service providers A and B. Both A and B
> are registered in IdP X as SAML2
On Tue, Aug 7, 2018 at 4:42 AM, Farasath Ahamed wrote:
>
>
> On Tue, Aug 7, 2018 at 4:53 PM, Prabath Siriwardena
> wrote:
>
>> Hi Sathya,
>>
>> Yes... it is an extension to [1]...
>>
>> In this approach, we are going to avoid registration of
> [1] https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2.1
> [2] "[Architecture] [IS 5.5.0] TLS Mutual Authentication for OAuth 2.0
> clients"
>
> Thanks,
> Sathya
>
> On Tue, Aug 7, 2018 at 10:50 AM, Prabath Siriwardena
> wrote:
>
>> I guess
I guess following scenario will be useful in a microservices deployment,
when we need to secure service to service communication.
Please find below the steps..
1. We create a service provider provider, and associate a CA's certificate
with it.
2. Now we have multiple microservices, each with a
On Thu, Nov 16, 2017 at 12:27 PM, Farasath Ahamed
wrote:
> The WSO2 Identity and Access Management team is pleased to announce the
> release of WSO2 Identity Server 5.4.0 Alpha 9.
>
> You can build the distribution from the source tag
>
Hi Youcef,
The mobile agent proxy was developed way back before the RFC 8252.
This is the same time where NAPPS working group formed under OpenID
Foundation.
Later after the advancements in mobile operating systems - both in Android
and iOS - NAPPS effort was abandoned - and started working
On Wed, May 31, 2017 at 3:30 AM, Asela Pathberiya <as...@wso2.com> wrote:
>
>
> On Wed, May 31, 2017 at 2:38 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>>
>>
>> On Wed, May 31, 2017 at 1:16 AM, Asela Pathberiya <as...@wso2.com> wro
On Wed, May 31, 2017 at 1:16 AM, Asela Pathberiya <as...@wso2.com> wrote:
>
>
> On Mon, May 29, 2017 at 11:12 AM, Harsha Thirimanna <hars...@wso2.com>
> wrote:
>
>>
>>
>> On Wed, May 17, 2017 at 9:44 AM, Prabath Siriwardena <prab...@wso2.com
On Thu, May 25, 2017 at 3:43 AM, Ishara Karunarathna
wrote:
> HI Ruwan,
>
> With my understanding ACR is related to the authenticated assurance level.
> or we can define specific authentication level.
> Ex
> acr.level.1 = username pwd athentication
> acr.level.2 = step1 :
Hi Ruwan,
Please check whether my understanding is correct based on the following
mail..
1. We define set of ACR values at the framework level - which are agnostic
to the inbound protocols.
2. Each inbound protocol (OIDC, SAML) - can define their own ACR values -
but must be mapped to the ACR
On Thu, May 18, 2017 at 12:09 AM, Ishara Karunarathna <isha...@wso2.com>
wrote:
> Hi,
>
> On Wed, May 17, 2017 at 10:14 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>> At the moment we can't delete an identity provider, if its associated
>> with on
ussion[1] related this for SAML bearer grant earlier as
> well. I think we could consider that improvement along with this fix.
>
> WDYT?
>
>
> [1] [Dev] Validate user against given user store and save correct user
> domain in saml2-bearer grant type
>
> On Wednesday, May 17,
At the moment we can't delete an identity provider, if its associated with
one or more service providers.
Also - for the user there is no way to find out the associated service
providers for a given identity provider - without going through each and
every service provider config.
This is fine
Can we give the option to provision the user...? This requires no UI
changes - can read the option from the IdP config...
Thanks & regards,
-Prabath
On Tue, May 16, 2017 at 10:26 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:
>
>
> On Wed, May 17, 2017 at 10:37 AM, Prabat
On Tue, May 16, 2017 at 10:04 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:
>
>
> On Wed, May 17, 2017 at 10:26 AM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>> Also - related to JWT/SAML grant types - do we have an option to JIT
>> provision
Tue, May 16, 2017 at 8:58 PM, Pushpalanka Jayawardhana <la...@wso2.com>
wrote:
>
>
> On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna <isha...@wso2.com>
> wrote:
>
>>
>>
>> On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena <prab...@wso2.co
How do you figure out users from different idps?
Thanks & regards,
-Prabath
On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana
wrote:
> Hi All,
>
> We have below 3 issues that are caused mainly because we don't have a
> clear way to distinguish local and federated users
Thanks for sharing! Will go through this...
Thanks & regards,
-Prabath
On Wed, Mar 8, 2017 at 9:28 PM, Srinath Perera wrote:
> Found from https://www.oreilly.com/ideas/building-machine-
> learning-solutions-that-can-withstand-adversarial-attacks
>
> Look very interesting
>
>
+1 for issuer - but please plan this post IS 6.0.0
Thanks & regards,
-Prabath
On Tue, Mar 7, 2017 at 11:16 AM, Johann Nallathamby wrote:
>
>
> On Tue, Mar 7, 2017 at 2:12 PM, Ishara Karunarathna
> wrote:
>
>> Hi Johan,
>>
>>
>>
>> On Mon, Feb 27, 2017 at
But.. this is returning back the whole user object...?
Thanks & regards,
-Prabath
On Wed, Feb 1, 2017 at 2:41 AM, Gayan Gunawardana <ga...@wso2.com> wrote:
> Hi Prabath,
>
> On Wed, Feb 1, 2017 at 1:47 AM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
&g
This seems to be a common requirement and its better to provide an
optimized operation for this.. even at the REST API level ? Do we have one
in SCIM?
During the user sign up process - people need to see whether the username
is picked by the user is available before asking for the details..
Hi Isura,
Please find my comment inline...
On Fri, Jan 20, 2017 at 2:02 AM, Isura Karunaratne wrote:
> Hi all,
>
>
> We are working on implementing account lock/disable features for IS 6.0.0.
>
> *Account Lock: *
>
>- User *must not *be able to login to the system.
>-
Yes.. +1 for keeping this feature...
Thanks & regards,
-Prabath
On Wed, Jan 18, 2017 at 10:05 PM, Johann Nallathamby
wrote:
>
>
> On Thu, Jan 19, 2017 at 10:42 AM, Isura Karunaratne
> wrote:
>
>> Hi,
>>
>> In my opinion, admin defined security questions are
How about a scenario where BPS running with worker/manager separation..? In
that case we deploy it to the management node and in runtime requests go
through the worker nodes...
Thanks & regards,
-Prabath
On Tue, Sep 22, 2015 at 11:13 PM, Harsha Thirimanna
wrote:
> Hi All,
>
On Mon, Sep 21, 2015 at 8:44 PM, Rajith Vitharana <raji...@wso2.com> wrote:
> Hi Prabath,
>
> Sorry I missed the mail, yes it would be great if we can talk about this
> further.
>
>
>
> On Tue, Sep 22, 2015 at 1:54 AM, Prabath Siriwardena <prab...@wso2.c
+1
Thanks & regards,
-Prabath
On Mon, Sep 21, 2015 at 8:46 PM, Ishara Karunarathna <isha...@wso2.com>
wrote:
> Hi Prabath,
>
> On Mon, Sep 21, 2015 at 8:25 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>>
>>
>> On Mon, Sep 21, 2015 a
On Mon, Sep 21, 2015 at 12:49 AM, Ishara Karunarathna <isha...@wso2.com>
wrote:
> Hi Prabath,
>
> On Mon, Sep 21, 2015 at 12:09 PM, Prabath Siriwardena <prab...@wso2.com>
> wrote:
>
>> It looks like from the architecture, whether its a dumb or smart is a
&
At the moment you can write custom authenticators and plug that into the
system - and it would be specific endpoint to the service provider.
But, the challenge adding SP specific configurations - at the moment the IS
Service Provider does not pick custom inbound authenticator configurations.
I
If I understand your requirement correctly, this is about a federation
scenario, where users are not under the domain of DSS.
I guess we need to fix couple of things here..
When I last looked into DSS - the way the DSS picks the username is from
the UT header - and the DS must be secured with UT
I guess the question here is related to deleting a workflow request itself
- and as if I understood correctly from your description at the moment its
user based. Only the user who initiate the workflow request can delete it ?
This looks like a limitation.. Nandika/Chathura, WDYT..?
Thanks &
Hi Nuwan,
Yes.. I was referring to the inbound traffic...
BTW do you see a real use for this outbound with Digest Auth..? I have not
seen many systems using this..
Thanks & regards,
-Prabath
On Thu, Sep 3, 2015 at 4:58 AM, Nuwan Dias wrote:
> Hi Prabath,
>
> You're referring
I think one common problem we need to address is to deploy service
providers/ identity providers across tenants...
If we use a file based approach - we should only use that. Do we have the
registry-based dep-sync working now..?
Also -1 to do any of the changes to 5.1.0 - its already months
Hi Chathura,
I guess both your use cases fall into them same.
Both of the scenarios need authentication.
The first scenario differs from the second based on the person who
generates the token.
In the first scenario - the one who logs into the App Manager - pushes the
download link to a set of
, either we have to design
workflows without having any dependencies among tasks or we should support
restrictions on workflow templates (e.g. if task B is included then task A
has to be included).
Regards,
Chathura
On Wed, Jul 15, 2015 at 1:42 AM, Prabath Siriwardena prab...@wso2.com
wrote
Hi Azeez,
Yes - we discussed to implement this for Carbon 5 with the new UM API
design. We would need someone to get started on this...
Thanks regards,
-Prabath
On Tue, Jul 14, 2015 at 3:08 AM, Afkham Azeez az...@wso2.com wrote:
Hi Prabath,
What do you think about $subject? Can we ditch the
It looks like still there are some confusions regarding IS workflow
implementation. So, thought of sharing my thoughts on the design - and
hopefully this be helpful to clear out the doubts.
AFAIK - the framework for the following is already implemented.
Basic design principals.
1. Simplicity.
BTW yes - lets have a discussion on this again - because this is not just
IS thing - and can be used by any other product which needs to have
workflow support..
Thanks regards,
-Prabath
On Tue, Jul 14, 2015 at 1:07 PM, Prabath Siriwardena prab...@wso2.com
wrote:
Hi Suemdha,
We discussed
.
-
*Isabelle Mauny*
VP, Product Management - WSO2, Inc. - http://wso2.com/
On Tue, Jul 14, 2015 at 6:22 PM, Prabath Siriwardena prab...@wso2.com
wrote:
It looks like still there are some confusions regarding
PM, Sumedha Rubasinghe sume...@wso2.com
wrote:
Prabath,
I think this has some overlaps and improvements compared to what we have
done for API Manager about 2 years ago.
Let's have a discussion on how to bring best of both worlds.
On Wed, Jul 15, 2015 at 12:49 AM, Prabath Siriwardena prab
to be compatible with
the corresponding workflow template...
Thanks regards,
-Prabath
Regards,
Chathura
On Wed, Jul 15, 2015 at 1:42 AM, Prabath Siriwardena prab...@wso2.com
wrote:
BTW yes - lets have a discussion on this again - because this is not just
IS thing - and can be used by any other
Please have a look at [1] - if we have not already...
Pavithra, let's have test cases based on the doc...
[1]:
https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-implementation-considerations-ps-20141009.pdf
--
Thanks Regards,
Prabath
Twitter : @prabath
LinkedIn :
On Sat, May 9, 2015 at 9:17 PM, Prabath Siriwardena prab...@wso2.com
wrote:
[resending with less number of recipients - since this was bounced back
previously due to that]
On Sat, May 9, 2015 at 5:32 PM, Prabath Siriwardena prab...@wso2.com
wrote:
Please find the details at
http
[resending with less number of recipients - since this was bounced back
previously due to that]
On Sat, May 9, 2015 at 5:32 PM, Prabath Siriwardena prab...@wso2.com
wrote:
Please find the details at
http://blog.facilelogin.com/2015/05/identity-mediation-language-iml.html
Appreciate your
Admin service WSDL fix the contract between the actual service
implementation and the client.
If you take ServiceProviderRegistration service in IS - then the
Service Provider Registration UI is one client - and also App Manager
is another client. There can be many clients as well.
Right now we
AFAIK the $subject is not working today.
Can we please get that fixed...? This would lead us to many more
useful integration patterns...
--
Thanks Regards,
Prabath
Twitter : @prabath
LinkedIn : http://www.linkedin.com/in/prabathsiriwardena
Mobile : +1 650 625 7950
Please find the details at
http://blog.facilelogin.com/2014/10/poodle-attack-and-disabling-ssl-v3-in_69.html
Thanks regards,
-Prabath
On Thu, Oct 30, 2014 at 9:26 PM, Niranda Perera nira...@wso2.com wrote:
Hi all,
This follows Prabath's bolgpost on POODLE Attack and Disabling SSL V3 in
If you say Basic Auth is easy - then there is no difference in using OAuth
too:-)
Basically the resource owner credentials grant type was introduced in OAuth
to migrate clients from Basic/Digest authentication into OAuth...
By looking at the use case - its clearly something to do with the
+1 for using OAuth..
Please also think of the cost of maintaining and provisioning keys between
servers in a clustered setup and the requirement of have an OAuth
authorization server.
Please see the approach suggested here [1] self-issued self-contained
access tokens. This approach reduces all
Quick feedback - please do not use DTO in the name: ExtKeyMgtAppInfoDTO
Thanks regards,
-Prabath
On Wed, Oct 15, 2014 at 6:27 PM, Sanjeewa Malalgoda sanje...@wso2.com
wrote:
Hi All,
Here is a brief update on status of External Key Management server -APIM
integration implementation.
We will
, Ravindra Ranwala ravin...@wso2.com
wrote:
Hi All,
Thanks a lot for the valuable feedback given. We'll consider all these
things when we implement this solution in our iPAAS.
Regards,
On Thu, Sep 25, 2014 at 11:08 AM, Prabath Siriwardena prab...@wso2.com
wrote:
According to the OAuth 2.0
I think its true to some extent that some OAuth authorization servers (AS)
use their own configuration parameters and also some what deviate from the
OAuth specification.
What you can do is - keep a basic OAuth 1.0 and 2.0 modules and if you see
a given AS has changed the behavior - extend from
deviates from the OAuth 2.0 Bearer Token Profile.
Following is a request to the LinkedIn UserInfo endpoint...
curl
https://api.linkedin.com/v1/people/~?oauth2_access_token=AQVKwPCyJoTDl9CZl5ID9S9hig9qd0P
Thanks regards,
-Prabath
On Thu, Sep 25, 2014 at 11:02 AM, Prabath Siriwardena prab...@wso2
+1
For JWS and JWE you can directly use Nimbus[1] java library which is
released under Apache 2.0 license..
[1]: http://connect2id.com/products/nimbus-jose-jwt/download
Thanks regards,
-Prabath
On Sat, Sep 6, 2014 at 11:22 PM, Gayan Gunawardana ga...@wso2.com wrote:
Hi,
Currently WSO2
Great..!!! Can we also start with iOS app...?
Also - can you please test this with IS 4.1.0..?
Thanks regards,
-Prabath
On Thu, Mar 27, 2014 at 4:31 PM, Gayan Gunawardana ga...@wso2.com wrote:
Hi All,
Still code with on going development, but any body who interesting can try
it
Android
I think the right approach is to use [1]. UserSelfRegistrationService will
add users to the Identity role by default. But, if you want to add the user
to the subscriber role, you can make it configurable.
Also - with UserSelfRegistrationService - you can specify to which user
stores you need to
On Tue, Jan 21, 2014 at 5:23 PM, Lalaji Sureshika lal...@wso2.com wrote:
Hi,
Addition to Tanya's notes,following features/improvements noted as we
expect to complete from ES side [sorry,if I repeat few..],while Sameera is
working on adding APIM related custom pages and functionalties
in the identity.xml.
I o not think we can configure multiple roles (multiple SignUpRole
elements) , If not, we can fix it as well
Thanks.
Asela.
Thanks;
On Wed, Jan 22, 2014 at 2:30 PM, Lalaji Sureshika lal...@wso2.comwrote:
Hi,
On Wed, Jan 22, 2014 at 2:04 PM, Prabath Siriwardena
+1
Thanks regards,
-Prabath
On Wed, Jan 22, 2014 at 7:29 PM, Lalaji Sureshika lal...@wso2.com wrote:
Hi,
On Wed, Jan 22, 2014 at 5:36 PM, Prabath Siriwardena prab...@wso2.comwrote:
If this is per tenant - you cannot do it via a configuration in the
identity.xml...
Ideally the tenant
, Prabath Siriwardena prab...@wso2.comwrote:
If this is per tenant - you cannot do it via a configuration in the
identity.xml...
Ideally the tenant admin should have an option in the UI to
enable/disable SelfSignUp and if it is enabled he should be able to specify
the default role or the role list
joh...@wso2.com wrote:
Hi Prabath,
One more suggestion I wanted to tell and missed is, what if we have the
Identifier classes of each entity as a static nested class of the
corresponding entity? This way it will make the packaging more neat.
On Thu, Dec 19, 2013 at 1:26 PM, Prabath
, Prabath Siriwardena prab...@wso2.comwrote:
A nested class should exist only to serve its enclosing class... if the
purpose of it goes beyond that - then it should be a top level one. For
that reason, I did't want to have Identifier classes as nested classes...
I was only thinking about
Should we use api in the API package name ?
I think we should not..
Currently we have org.wso2.carbon.user.api, org.wso2.carbon.regostry.api
and possibly many more..
I think should avoid putting API in the package name - and it should be
quite obvious..
For example, in Java - in JDBC API [1] -
, 2013 at 6:00 PM, Prabath Siriwardena
prab...@wso2.comwrote:
Should we use api in the API package name ?
I think we should not..
Currently we have org.wso2.carbon.user.api,
org.wso2.carbon.regostry.api and possibly many more..
I think should avoid putting API in the package name
A design review scheduled on 10th Dec - Tuesday..
Thanks regards,
-Prabath
On Sat, Dec 7, 2013 at 1:01 PM, Prabath Siriwardena prab...@wso2.comwrote:
Identity team was working on designing the user core API during last week.
Please find the high-level design attached.
Each Tenant
within ESB language itself, it will be an added
plus. (This is like we have to go to Axis2 level to configure transports
now).
--Srinath
On Thu, Nov 14, 2013 at 1:23 AM, Prabath Siriwardena prab...@wso2.comwrote:
Ideally it should be a handler - not a mediator... This should get
executed
Ideally it should be a handler - not a mediator... This should get executed
before the message comes to the inSequence.
Thanks regards,
-Prabath
On Wed, Nov 13, 2013 at 10:24 PM, Miyuru Wanninayaka miy...@wso2.comwrote:
Hi all,
Currently most security stuff handled at rampart level (except
IdP always issues claims from its own dialect. If we want application
specific claims - that is a functionality of the resource STS.
Thanks regards,
-Prabath
On Mon, Nov 11, 2013 at 3:59 AM, Asela Pathberiya as...@wso2.com wrote:
On Mon, Nov 11, 2013 at 4:18 PM, Prabath Siriwardena prab
IdP always issues claims from its own dialect. If we want application
specific claims - that is a functionality of the resource STS.
Thanks regards,
-Prabath
On Mon, Nov 11, 2013 at 5:29 PM, Asela Pathberiya as...@wso2.com wrote:
On Mon, Nov 11, 2013 at 4:18 PM, Prabath Siriwardena prab
Hi Johann,
Please find comment inline...
On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.com wrote:
Hi Prabath,
+1 for the concept. Some concerns and thoughts inline.. bear with me for
my lengthy verbose arguments.. [?]
On Mon, Nov 11, 2013 at 3:12 AM, Prabath Siriwardena
at 3:12 AM, Prabath Siriwardena
prab...@wso2.comwrote:
1. What is an Application under the context of Identity Server ?
Its a consumer of identity attributes, roles (and groups),
authentication methods/ policies and authorization policies. In practice,
this could be a web application,mobile
On Mon, Nov 11, 2013 at 10:41 AM, Ishara Karunarathna isha...@wso2.comwrote:
Hi,
On Mon, Nov 11, 2013 at 9:58 AM, Prabath Siriwardena prab...@wso2.comwrote:
Hi Johann,
Please find comment inline...
On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.comwrote:
Hi Prabath
On Mon, Nov 11, 2013 at 11:26 AM, Ishara Karunarathna isha...@wso2.comwrote:
On Mon, Nov 11, 2013 at 11:07 AM, Prabath Siriwardena prab...@wso2.comwrote:
On Mon, Nov 11, 2013 at 10:41 AM, Ishara Karunarathna
isha...@wso2.comwrote:
Hi,
On Mon, Nov 11, 2013 at 9:58 AM, Prabath
joh...@wso2.com wrote:
On Mon, Nov 11, 2013 at 1:01 PM, Prabath Siriwardena prab...@wso2.com
wrote:
On Mon, Nov 11, 2013 at 11:47 AM, Johann Nallathamby joh...@wso2.com
wrote:
Yes, we don't have to encrypt the consumer key, but still I feel we can use
a different
Yes.. We cannot give the same access token for different scopes.
+1 for fixing this.
Thanks...
Sent from my mobile device
On Oct 25, 2013, at 5:29 PM, Asela Pathberiya as...@wso2.com wrote:
Hi All,
AFAIK, currently OAuth2 token endpoint returns the same access token for
different
for the scenario where IS is
behaving as a consumer.
Regards,
Venura
On Tue, Oct 22, 2013 at 11:15 AM, Prabath Siriwardena prab...@wso2.comwrote:
Why not we maintain all the ids from external CSP - against the
externalid ? Then we do not need to worry about doing two calls..
Thanks regards
for the scenario where IS is
behaving as a consumer.
Regards,
Venura
On Tue, Oct 22, 2013 at 11:15 AM, Prabath Siriwardena prab...@wso2.comwrote:
Why not we maintain all the ids from external CSP - against the
externalid ? Then we do not need to worry about doing two calls..
Thanks regards
How do we handle SAML2 sessions now..?
I believe we keep it in-memory..
Keep this in-memory won't scale - as these sessions suppose to live long..
and also won't be accessed frequently..
Can we use an LRU cache - and persist the SAML2 sessions..?
Thoughts please..
Thanks Regards,
Prabath
There are three use cases..
1. SCIM consumer sends a provisioning request to IS - which is the SCIM CSP.
2. [1] Identity Server provisions the user to other CSPs
3. Adding user from the IS management console and provision the user to
other connected CSP.
How do we handle id/externalid/userName
, scimId etc).
IMO externalId is not an useful attribute in the spec. [1] here there are
some arguments on this.
[1] http://www.infoq.com/articles/scim-data-model-limitations
Please add something mission or wrong.
Thanks,
On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena prab...@wso2
at 4:53 AM, Prabath Siriwardena prab...@wso2.comwrote:
When IS provisions users to other connected systems - are we maintaining
the list of id's returned by each CSP...?
IMO externaid is also useful. A given externalid could map to multiple
id's returned by CSPs.
Thanks regards,
-Prabath
providers handle the request by taking the user name and identifying
to which resource the operation should be applied.
Regards,
Venura
On Tue, Oct 22, 2013 at 9:15 AM, Prabath Siriwardena
prab...@wso2.comwrote:
On Tue, Oct 22, 2013 at 3:09 PM, Ishara Karunarathna
isha...@wso2.comwrote
,
-Prabath
On Tue, Oct 22, 2013 at 5:55 PM, Venura Kahawala ven...@wso2.com wrote:
Hi,
On Tue, Oct 22, 2013 at 10:17 AM, Prabath Siriwardena prab...@wso2.comwrote:
On Tue, Oct 22, 2013 at 5:41 PM, Venura Kahawala ven...@wso2.com wrote:
Hi,
Also - how spec compliant - is it to do
-Type:application/json *
https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215
*
Regards,
Venura
On Tue, Oct 22, 2013 at 10:37 AM, Prabath Siriwardena prab...@wso2.comwrote:
In that case its with an id - not a direct PUT to /Users. Its like
/Users/id
To sort out any confusion
.. We do two calls when we do outbound
provisioning..? One to get the id and then the PUT
Thanks regards,
-Prabath
Regards,
Venura
On Tue, Oct 22, 2013 at 11:05 AM, Prabath Siriwardena prab...@wso2.comwrote:
But for outbound provisioning from IS we cannot do the same now - as we
do
How do we do this inAPI - Store / Publisher ? Can we host the API Store /
Publisher in a different Application Server and still points to the same
user base behind the API Manager..?
Thanks regards,
-Prabath
On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala ven...@wso2.com wrote:
Hi,
I'm now
Thanks,
-Suresh
On Wed, Oct 2, 2013 at 2:47 AM, Prabath Siriwardena prab...@wso2.comwrote:
+1
Currently IS and API-M use two different services for token validation.
So - lets get rid-of this code duplication first and then work on the
improvements...
Thanks regards,
-Prabath
On Wed
.
On Fri, Oct 4, 2013 at 7:25 AM, Prabath Siriwardena prab...@wso2.comwrote:
This is done by the handler
t/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/util/APIManagerOAuthCallbackHandler.java
Scope is case sensitive - and when we issue a token against a provided
+1
Currently IS and API-M use two different services for token validation. So
- lets get rid-of this code duplication first and then work on the
improvements...
Thanks regards,
-Prabath
On Wed, Oct 2, 2013 at 11:05 AM, Johann Nallathamby joh...@wso2.com wrote:
Currently the OAuth2 scopes
The requirement is to process the token issue request at the Key Manager
before actually processing the request.
Following two methods will be introduced to the
org.wso2.carbon.identity.oauth2.OAuth2ServiceListener interface - and these
will be invoked from the
+1 for that.. Only downside - tenant is loaded not on demand..
Another approach is..
Currently the tenant is loaded by looking at the URL.. say for example - if
the url says - /t/wso2.com - this will make wso2.com to be loaded if it is
not loaded already.
The issue with authentication is - we
Won't it be late to load the tenant at this moment? As the changes needs
to be checked out from the repo , for authentication to be successful, are
we to hold the decision using some mechanism till the check out completes?
This is the same behavior you see when you login to management
Hi Sumedha,
This needs to be better modeled after A Method of Bearer Token
Redelegation and Chaining for OAuth 2
http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt
The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate
And also - we should not provide a refresh token in
is the best method to overcome the SCEP vulnerability.
On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena prab...@wso2.comwrote:
I guess user challenge it self is not enough.. We also need to validate
the SCEP request..
Thanks regards,
-Prabath
On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah
any time it can be replaced
with anything. Ideally which I believe this part needs to be handle by IS
and MDM only communicate with it through the information provided at the
deployment time.
Regards,
Dilshan
On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena prab...@wso2.comwrote:
Just
will be done based on the user challenge before it gets passed to it. The
validation part is not done.
Also there is a performance issue in the time taken enroll a device ,
Mayuran is working on that along with the validation.
Thanks,
-Shan
On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena prab
On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana sanj...@wso2.comwrote:
Dilshan Prabath, should the SCEP server code ship with IS by default?
Prabath I remember a long discussion about certificate issuing and
distribution 3-4 years ago but don't think we ended up implementing yet ..
is
1 - 100 of 118 matches
Mail list logo