Re: [Architecture] Non persistent Access Tokens

+1 This is what we plan in IS too - to make all the tokens JWT by default. This approach also helps in multi-regional setups. The drawback is the revocation. But we can find a workaround for that. Thanks & Regards -Prabath On Mon, Jun 24, 2019 at 10:23 PM Nuwan Dias wrote: > Hi, > > I've

Re: [Architecture] [Dev][VOTE] Release WSO2 Identity Server 5.8.0 RC2

+1 to go ahead with the release Thanks & Regards -Prabath On Wed, May 15, 2019 at 1:06 AM Shanika Wickramasinghe wrote: > Hi All, > > I have tested the SAML SSO with POST binding and Redirect binding flows. > > +1 Go Ahead and Release > > > Thanks, > > Shanika > > > On Mon, May 13, 2019 at

Re: [Architecture] [IAM] Problems Discovered in Consent Management in WSO2 IS

Thanks Johann for the feedback... Yes, the consent management feature needs improvement and will work on them.. It would be much helpful, if you can create git issues - so we won't miss anything. Thanks & Regards, -Prabath On Mon, Mar 25, 2019 at 5:18 AM Johann Nallathamby wrote: > IAM Team,

Re: [Architecture] [IAM][New Feature] Claim Transformation for Provisioning Use Cases

I think we need to keep all complex provisioning logic outside IS as much as possible. Not only transformation, but even reliable delivery. IMO we can think about how microESB fits into these use cases. Thanks & Regards -Prabath On Wed, Feb 20, 2019 at 1:09 AM Darshana Gunawardana wrote: > Hi

Re: [Architecture] [IAM] Additional Security for SAML2/JWT Bearer Assertion Grant Flows

+1 Can you please create a new feature request - so we will not miss this Thanks & regards -Prabath On Thu, Nov 1, 2018 at 1:24 AM Johann Nallathamby wrote: > *Status Quo* > > Let's say there are two legitimate service providers A and B. Both A and B > are registered in IdP X as SAML2

Re: [Architecture] OAuth clients based on a trusted CA

On Tue, Aug 7, 2018 at 4:42 AM, Farasath Ahamed wrote: > > > On Tue, Aug 7, 2018 at 4:53 PM, Prabath Siriwardena > wrote: > >> Hi Sathya, >> >> Yes... it is an extension to [1]... >> >> In this approach, we are going to avoid registration of

Re: [Architecture] OAuth clients based on a trusted CA

> [1] https://tools.ietf.org/html/draft-ietf-oauth-mtls-07#section-2.1 > [2] "[Architecture] [IS 5.5.0] TLS Mutual Authentication for OAuth 2.0 > clients" > > Thanks, > Sathya > > On Tue, Aug 7, 2018 at 10:50 AM, Prabath Siriwardena > wrote: > >> I guess

[Architecture] OAuth clients based on a trusted CA

I guess following scenario will be useful in a microservices deployment, when we need to secure service to service communication. Please find below the steps.. 1. We create a service provider provider, and associate a CA's certificate with it. 2. Now we have multiple microservices, each with a

Re: [Architecture] WSO2 Identity Server 5.4.0 Alpha 9 Released !!!

On Thu, Nov 16, 2017 at 12:27 PM, Farasath Ahamed wrote: > The WSO2 Identity and Access Management team is pleased to announce the > release of WSO2 Identity Server 5.4.0 Alpha 9. > > You can build the distribution from the source tag >

Re: [Architecture] APIM & AppAuth-Android samples

Hi Youcef, The mobile agent proxy was developed way back before the RFC 8252. This is the same time where NAPPS working group formed under OpenID Foundation. Later after the advancements in mobile operating systems - both in Android and iOS - NAPPS effort was abandoned - and started working

Re: [Architecture] Force Delete Identity Providers

On Wed, May 31, 2017 at 3:30 AM, Asela Pathberiya <as...@wso2.com> wrote: > > > On Wed, May 31, 2017 at 2:38 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> >> >> On Wed, May 31, 2017 at 1:16 AM, Asela Pathberiya <as...@wso2.com> wro

Re: [Architecture] Force Delete Identity Providers

On Wed, May 31, 2017 at 1:16 AM, Asela Pathberiya <as...@wso2.com> wrote: > > > On Mon, May 29, 2017 at 11:12 AM, Harsha Thirimanna <hars...@wso2.com> > wrote: > >> >> >> On Wed, May 17, 2017 at 9:44 AM, Prabath Siriwardena <prab...@wso2.com

Re: [Architecture] [IS] IS 5.5.0 += Adaptive Authentication

On Thu, May 25, 2017 at 3:43 AM, Ishara Karunarathna wrote: > HI Ruwan, > > With my understanding ACR is related to the authenticated assurance level. > or we can define specific authentication level. > Ex > acr.level.1 = username pwd athentication > acr.level.2 = step1 :

Re: [Architecture] [IS] IS 5.5.0 += Adaptive Authentication

Hi Ruwan, Please check whether my understanding is correct based on the following mail.. 1. We define set of ACR values at the framework level - which are agnostic to the inbound protocols. 2. Each inbound protocol (OIDC, SAML) - can define their own ACR values - but must be mapped to the ACR

Re: [Architecture] Force Delete Identity Providers

On Thu, May 18, 2017 at 12:09 AM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi, > > On Wed, May 17, 2017 at 10:14 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> At the moment we can't delete an identity provider, if its associated >> with on

Re: [Architecture] Distinguish between local and federated users in oauth tables

ussion[1] related this for SAML bearer grant earlier as > well. I think we could consider that improvement along with this fix. > > WDYT? > > > [1] [Dev] Validate user against given user store and save correct user > domain in saml2-bearer grant type > > On Wednesday, May 17,

[Architecture] Force Delete Identity Providers

At the moment we can't delete an identity provider, if its associated with one or more service providers. Also - for the user there is no way to find out the associated service providers for a given identity provider - without going through each and every service provider config. This is fine

Re: [Architecture] Distinguish between local and federated users in oauth tables

Can we give the option to provision the user...? This requires no UI changes - can read the option from the IdP config... Thanks & regards, -Prabath On Tue, May 16, 2017 at 10:26 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > > > On Wed, May 17, 2017 at 10:37 AM, Prabat

Re: [Architecture] Distinguish between local and federated users in oauth tables

On Tue, May 16, 2017 at 10:04 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > > > On Wed, May 17, 2017 at 10:26 AM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> Also - related to JWT/SAML grant types - do we have an option to JIT >> provision

Re: [Architecture] Distinguish between local and federated users in oauth tables

Tue, May 16, 2017 at 8:58 PM, Pushpalanka Jayawardhana <la...@wso2.com> wrote: > > > On Tue, May 16, 2017 at 11:15 PM, Ishara Karunarathna <isha...@wso2.com> > wrote: > >> >> >> On Tue, May 16, 2017 at 10:25 PM, Prabath Siriwardena <prab...@wso2.co

Re: [Architecture] Distinguish between local and federated users in oauth tables

How do you figure out users from different idps? Thanks & regards, -Prabath On Tue, May 16, 2017 at 7:23 AM, Pushpalanka Jayawardhana wrote: > Hi All, > > We have below 3 issues that are caused mainly because we don't have a > clear way to distinguish local and federated users

Re: [Architecture] Applying Machine Learning in Security - A Survey

Thanks for sharing! Will go through this... Thanks & regards, -Prabath On Wed, Mar 8, 2017 at 9:28 PM, Srinath Perera wrote: > Found from https://www.oreilly.com/ideas/building-machine- > learning-solutions-that-can-withstand-adversarial-attacks > > Look very interesting > >

Re: [Architecture] A Claim MUST have a Issuer

+1 for issuer - but please plan this post IS 6.0.0 Thanks & regards, -Prabath On Tue, Mar 7, 2017 at 11:16 AM, Johann Nallathamby wrote: > > > On Tue, Mar 7, 2017 at 2:12 PM, Ishara Karunarathna > wrote: > >> Hi Johan, >> >> >> >> On Mon, Feb 27, 2017 at

Re: [Architecture] [IS] [C5] Check Whether User Exist in User Stores

But.. this is returning back the whole user object...? Thanks & regards, -Prabath On Wed, Feb 1, 2017 at 2:41 AM, Gayan Gunawardana <ga...@wso2.com> wrote: > Hi Prabath, > > On Wed, Feb 1, 2017 at 1:47 AM, Prabath Siriwardena <prab...@wso2.com> > wrote: &g

Re: [Architecture] [IS] [C5] Check Whether User Exist in User Stores

This seems to be a common requirement and its better to provide an optimized operation for this.. even at the REST API level ? Do we have one in SCIM? During the user sign up process - people need to see whether the username is picked by the user is available before asking for the details..

Re: [Architecture] Account Lock/Disable Feature in IS 6.0.0

Hi Isura, Please find my comment inline... On Fri, Jan 20, 2017 at 2:02 AM, Isura Karunaratne wrote: > Hi all, > > > We are working on implementing account lock/disable features for IS 6.0.0. > > *Account Lock: * > >- User *must not *be able to login to the system. >-

Re: [Architecture] [Dev] [IS 6.0.0] [User Portal] Challenge Questions in Self sign-up page of user portal

Yes.. +1 for keeping this feature... Thanks & regards, -Prabath On Wed, Jan 18, 2017 at 10:05 PM, Johann Nallathamby wrote: > > > On Thu, Jan 19, 2017 at 10:42 AM, Isura Karunaratne > wrote: > >> Hi, >> >> In my opinion, admin defined security questions are

Re: [Architecture] [IS][Workflow] Two separate URL to deploy artifact and send request to BPS

How about a scenario where BPS running with worker/manager separation..? In that case we deploy it to the management node and in runtime requests go through the worker nodes... Thanks & regards, -Prabath On Tue, Sep 22, 2015 at 11:13 PM, Harsha Thirimanna wrote: > Hi All, >

Re: [Architecture] Improvement in Role based content filtering in WSO2 DSS

On Mon, Sep 21, 2015 at 8:44 PM, Rajith Vitharana <raji...@wso2.com> wrote: > Hi Prabath, > > Sorry I missed the mail, yes it would be great if we can talk about this > further. > > > > On Tue, Sep 22, 2015 at 1:54 AM, Prabath Siriwardena <prab...@wso2.c

Re: [Architecture] [IDENTITY-3352] SCIM Dumb Mode Outbound Provisioning

+1 Thanks & regards, -Prabath On Mon, Sep 21, 2015 at 8:46 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Prabath, > > On Mon, Sep 21, 2015 at 8:25 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> >> >> On Mon, Sep 21, 2015 a

Re: [Architecture] [IDENTITY-3352] SCIM Dumb Mode Outbound Provisioning

On Mon, Sep 21, 2015 at 12:49 AM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Prabath, > > On Mon, Sep 21, 2015 at 12:09 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> It looks like from the architecture, whether its a dumb or smart is a &

[Architecture] Plug-in custom inbound authenticators

At the moment you can write custom authenticators and plug that into the system - and it would be specific endpoint to the service provider. But, the challenge adding SP specific configurations - at the moment the IS Service Provider does not pick custom inbound authenticator configurations. I

Re: [Architecture] Improvement in Role based content filtering in WSO2 DSS

If I understand your requirement correctly, this is about a federation scenario, where users are not under the domain of DSS. I guess we need to fix couple of things here.. When I last looked into DSS - the way the DSS picks the username is from the UT header - and the DS must be secured with UT

Re: [Architecture] [IS][Workflow] Handling Delete Request Operation Associated with Workflows

I guess the question here is related to deleting a workflow request itself - and as if I understood correctly from your description at the moment its user based. Only the user who initiate the workflow request can delete it ? This looks like a limitation.. Nandika/Chathura, WDYT..? Thanks &

Re: [Architecture] Digest authentication for secured endpoints in API Manager

Hi Nuwan, Yes.. I was referring to the inbound traffic... BTW do you see a real use for this outbound with Digest Auth..? I have not seen many systems using this.. Thanks & regards, -Prabath On Thu, Sep 3, 2015 at 4:58 AM, Nuwan Dias wrote: > Hi Prabath, > > You're referring

Re: [Architecture] [IS] Service Provider/Identity Provider file base configuration in clustered environment

I think one common problem we need to address is to deploy service providers/ identity providers across tenants... If we use a file based approach - we should only use that. Do we have the registry-based dep-sync working now..? Also -1 to do any of the changes to 5.1.0 - its already months

Re: [Architecture] [AppM] Secured download links for mobile applications

Hi Chathura, I guess both your use cases fall into them same. Both of the scenarios need authentication. The first scenario differs from the second based on the person who generates the token. In the first scenario - the one who logs into the App Manager - pushes the download link to a set of

Re: [Architecture] Workflow Implementation in IS 5.1.0

, either we have to design workflows without having any dependencies among tasks or we should support restrictions on workflow templates (e.g. if task B is included then task A has to be included). Regards, Chathura On Wed, Jul 15, 2015 at 1:42 AM, Prabath Siriwardena prab...@wso2.com wrote

Re: [Architecture] Switching to JAAS for Carbon 5?

Hi Azeez, Yes - we discussed to implement this for Carbon 5 with the new UM API design. We would need someone to get started on this... Thanks regards, -Prabath On Tue, Jul 14, 2015 at 3:08 AM, Afkham Azeez az...@wso2.com wrote: Hi Prabath, What do you think about $subject? Can we ditch the

[Architecture] Workflow Implementation in IS 5.1.0

It looks like still there are some confusions regarding IS workflow implementation. So, thought of sharing my thoughts on the design - and hopefully this be helpful to clear out the doubts. AFAIK - the framework for the following is already implemented. Basic design principals. 1. Simplicity.

Re: [Architecture] Workflow Implementation in IS 5.1.0

BTW yes - lets have a discussion on this again - because this is not just IS thing - and can be used by any other product which needs to have workflow support.. Thanks regards, -Prabath On Tue, Jul 14, 2015 at 1:07 PM, Prabath Siriwardena prab...@wso2.com wrote: Hi Suemdha, We discussed

Re: [Architecture] Workflow Implementation in IS 5.1.0

. - *Isabelle Mauny* VP, Product Management - WSO2, Inc. - http://wso2.com/ On Tue, Jul 14, 2015 at 6:22 PM, Prabath Siriwardena prab...@wso2.com wrote: It looks like still there are some confusions regarding

Re: [Architecture] Workflow Implementation in IS 5.1.0

PM, Sumedha Rubasinghe sume...@wso2.com wrote: Prabath, I think this has some overlaps and improvements compared to what we have done for API Manager about 2 years ago. Let's have a discussion on how to bring best of both worlds. On Wed, Jul 15, 2015 at 12:49 AM, Prabath Siriwardena prab

Re: [Architecture] Workflow Implementation in IS 5.1.0

to be compatible with the corresponding workflow template... Thanks regards, -Prabath Regards, Chathura On Wed, Jul 15, 2015 at 1:42 AM, Prabath Siriwardena prab...@wso2.com wrote: BTW yes - lets have a discussion on this again - because this is not just IS thing - and can be used by any other

[Architecture] [Identity Server] FIDO U2F Implementation Considerations

Please have a look at [1] - if we have not already... Pavithra, let's have test cases based on the doc... [1]: https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-implementation-considerations-ps-20141009.pdf -- Thanks Regards, Prabath Twitter : @prabath LinkedIn :

Re: [Architecture] [RFC] Identity Mediation Language (IML) - Requirements Specification

On Sat, May 9, 2015 at 9:17 PM, Prabath Siriwardena prab...@wso2.com wrote: [resending with less number of recipients - since this was bounced back previously due to that] On Sat, May 9, 2015 at 5:32 PM, Prabath Siriwardena prab...@wso2.com wrote: Please find the details at http

Re: [Architecture] [RFC] Identity Mediation Language (IML) - Requirements Specification

[resending with less number of recipients - since this was bounced back previously due to that] On Sat, May 9, 2015 at 5:32 PM, Prabath Siriwardena prab...@wso2.com wrote: Please find the details at http://blog.facilelogin.com/2015/05/identity-mediation-language-iml.html Appreciate your

[Architecture] Service versioning for Carbon admin services

Admin service WSDL fix the contract between the actual service implementation and the client. If you take ServiceProviderRegistration service in IS - then the Service Provider Registration UI is one client - and also App Manager is another client. There can be many clients as well. Right now we

[Architecture] Using renewal/cancel WS-Trust bindings to manage SAML tokens issued by SAML 2.0 Web SSO profile

AFAIK the $subject is not working today. Can we please get that fixed...? This would lead us to many more useful integration patterns... -- Thanks Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950

Re: [Architecture] POODLE Vulnerability (SSL 3.0) in WSO2 Carbon 3.0 Products

Please find the details at http://blog.facilelogin.com/2014/10/poodle-attack-and-disabling-ssl-v3-in_69.html Thanks regards, -Prabath On Thu, Oct 30, 2014 at 9:26 PM, Niranda Perera nira...@wso2.com wrote: Hi all, This follows Prabath's bolgpost on POODLE Attack and Disabling SSL V3 in

Re: [Architecture] [BAM] [Security] Securing REST API

If you say Basic Auth is easy - then there is no difference in using OAuth too:-) Basically the resource owner credentials grant type was introduced in OAuth to migrate clients from Basic/Digest authentication into OAuth... By looking at the use case - its clearly something to do with the

Re: [Architecture] [BAM] [Security] Securing REST API

+1 for using OAuth.. Please also think of the cost of maintaining and provisioning keys between servers in a clustered setup and the requirement of have an OAuth authorization server. Please see the approach suggested here [1] self-issued self-contained access tokens. This approach reduces all

Re: [Architecture] API Manager Authorization Server Decoupling

Quick feedback - please do not use DTO in the name: ExtKeyMgtAppInfoDTO Thanks regards, -Prabath On Wed, Oct 15, 2014 at 6:27 PM, Sanjeewa Malalgoda sanje...@wso2.com wrote: Hi All, Here is a brief update on status of External Key Management server -APIM integration implementation. We will

Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers

, Ravindra Ranwala ravin...@wso2.com wrote: Hi All, Thanks a lot for the valuable feedback given. We'll consider all these things when we implement this solution in our iPAAS. Regards, On Thu, Sep 25, 2014 at 11:08 AM, Prabath Siriwardena prab...@wso2.com wrote: According to the OAuth 2.0

Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers

I think its true to some extent that some OAuth authorization servers (AS) use their own configuration parameters and also some what deviate from the OAuth specification. What you can do is - keep a basic OAuth 1.0 and 2.0 modules and if you see a given AS has changed the behavior - extend from

Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers

deviates from the OAuth 2.0 Bearer Token Profile. Following is a request to the LinkedIn UserInfo endpoint... curl https://api.linkedin.com/v1/people/~?oauth2_access_token=AQVKwPCyJoTDl9CZl5ID9S9hig9qd0P Thanks regards, -Prabath On Thu, Sep 25, 2014 at 11:02 AM, Prabath Siriwardena prab...@wso2

Re: [Architecture] OpenID connect ID Token Implementation

+1 For JWS and JWE you can directly use Nimbus[1] java library which is released under Apache 2.0 license.. [1]: http://connect2id.com/products/nimbus-jose-jwt/download Thanks regards, -Prabath On Sat, Sep 6, 2014 at 11:22 PM, Gayan Gunawardana ga...@wso2.com wrote: Hi, Currently WSO2

Re: [Architecture] SSO IDP Proxy Application + SDK

Great..!!! Can we also start with iOS app...? Also - can you please test this with IS 4.1.0..? Thanks regards, -Prabath On Thu, Mar 27, 2014 at 4:31 PM, Gayan Gunawardana ga...@wso2.com wrote: Hi All, Still code with on going development, but any body who interesting can try it Android

Re: [Architecture] Provide support for self signup for tenants' APIStores

I think the right approach is to use [1]. UserSelfRegistrationService will add users to the Identity role by default. But, if you want to add the user to the subscriber role, you can make it configurable. Also - with UserSelfRegistrationService - you can specify to which user stores you need to

Re: [Architecture] Invitation: APIM Progress update @ Mon Jan 20 11:30pm - Tue Jan 21, 2014 12:30am (samee...@wso2.com)

On Tue, Jan 21, 2014 at 5:23 PM, Lalaji Sureshika lal...@wso2.com wrote: Hi, Addition to Tanya's notes,following features/improvements noted as we expect to complete from ES side [sorry,if I repeat few..],while Sameera is working on adding APIM related custom pages and functionalties

Re: [Architecture] Provide support for self signup for tenants' APIStores

in the identity.xml. I o not think we can configure multiple roles (multiple SignUpRole elements) , If not, we can fix it as well Thanks. Asela. Thanks; On Wed, Jan 22, 2014 at 2:30 PM, Lalaji Sureshika lal...@wso2.comwrote: Hi, On Wed, Jan 22, 2014 at 2:04 PM, Prabath Siriwardena

Re: [Architecture] Provide support for self signup for tenants' APIStores

+1 Thanks regards, -Prabath On Wed, Jan 22, 2014 at 7:29 PM, Lalaji Sureshika lal...@wso2.com wrote: Hi, On Wed, Jan 22, 2014 at 5:36 PM, Prabath Siriwardena prab...@wso2.comwrote: If this is per tenant - you cannot do it via a configuration in the identity.xml... Ideally the tenant

Re: [Architecture] Provide support for self signup for tenants' APIStores

, Prabath Siriwardena prab...@wso2.comwrote: If this is per tenant - you cannot do it via a configuration in the identity.xml... Ideally the tenant admin should have an option in the UI to enable/disable SelfSignUp and if it is enabled he should be able to specify the default role or the role list

Re: [Architecture] Meeting Notes { was : Re: Invitation: Carbon 5 User API Design Review}

joh...@wso2.com wrote: Hi Prabath, One more suggestion I wanted to tell and missed is, what if we have the Identifier classes of each entity as a static nested class of the corresponding entity? This way it will make the packaging more neat. On Thu, Dec 19, 2013 at 1:26 PM, Prabath

Re: [Architecture] Meeting Notes { was : Re: Invitation: Carbon 5 User API Design Review}

, Prabath Siriwardena prab...@wso2.comwrote: A nested class should exist only to serve its enclosing class... if the purpose of it goes beyond that - then it should be a top level one. For that reason, I did't want to have Identifier classes as nested classes... I was only thinking about

[Architecture] [C5] Should we use api in the API package name ?

Should we use api in the API package name ? I think we should not.. Currently we have org.wso2.carbon.user.api, org.wso2.carbon.regostry.api and possibly many more.. I think should avoid putting API in the package name - and it should be quite obvious.. For example, in Java - in JDBC API [1] -

Re: [Architecture] [C5] Should we use api in the API package name ?

, 2013 at 6:00 PM, Prabath Siriwardena prab...@wso2.comwrote: Should we use api in the API package name ? I think we should not.. Currently we have org.wso2.carbon.user.api, org.wso2.carbon.regostry.api and possibly many more.. I think should avoid putting API in the package name

Re: [Architecture] C5 user core API high-level design

A design review scheduled on 10th Dec - Tuesday.. Thanks regards, -Prabath On Sat, Dec 7, 2013 at 1:01 PM, Prabath Siriwardena prab...@wso2.comwrote: Identity team was working on designing the user core API during last week. Please find the high-level design attached. Each Tenant

Re: [Architecture] Security mediators for ESB

within ESB language itself, it will be an added plus. (This is like we have to go to Axis2 level to configure transports now). --Srinath On Thu, Nov 14, 2013 at 1:23 AM, Prabath Siriwardena prab...@wso2.comwrote: Ideally it should be a handler - not a mediator... This should get executed

Re: [Architecture] Security mediators for ESB

Ideally it should be a handler - not a mediator... This should get executed before the message comes to the inSequence. Thanks regards, -Prabath On Wed, Nov 13, 2013 at 10:24 PM, Miyuru Wanninayaka miy...@wso2.comwrote: Hi all, Currently most security stuff handled at rampart level (except

Re: [Architecture] [Identity Server] Applications

IdP always issues claims from its own dialect. If we want application specific claims - that is a functionality of the resource STS. Thanks regards, -Prabath On Mon, Nov 11, 2013 at 3:59 AM, Asela Pathberiya as...@wso2.com wrote: On Mon, Nov 11, 2013 at 4:18 PM, Prabath Siriwardena prab

Re: [Architecture] [Identity Server] Applications

IdP always issues claims from its own dialect. If we want application specific claims - that is a functionality of the resource STS. Thanks regards, -Prabath On Mon, Nov 11, 2013 at 5:29 PM, Asela Pathberiya as...@wso2.com wrote: On Mon, Nov 11, 2013 at 4:18 PM, Prabath Siriwardena prab

Re: [Architecture] [Identity Server] Applications

Hi Johann, Please find comment inline... On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.com wrote: Hi Prabath, +1 for the concept. Some concerns and thoughts inline.. bear with me for my lengthy verbose arguments.. [?] On Mon, Nov 11, 2013 at 3:12 AM, Prabath Siriwardena

Re: [Architecture] [Identity Server] Applications

at 3:12 AM, Prabath Siriwardena prab...@wso2.comwrote: 1. What is an Application under the context of Identity Server ? Its a consumer of identity attributes, roles (and groups), authentication methods/ policies and authorization policies. In practice, this could be a web application,mobile

Re: [Architecture] [Identity Server] Applications

On Mon, Nov 11, 2013 at 10:41 AM, Ishara Karunarathna isha...@wso2.comwrote: Hi, On Mon, Nov 11, 2013 at 9:58 AM, Prabath Siriwardena prab...@wso2.comwrote: Hi Johann, Please find comment inline... On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.comwrote: Hi Prabath

Re: [Architecture] [Identity Server] Applications

On Mon, Nov 11, 2013 at 11:26 AM, Ishara Karunarathna isha...@wso2.comwrote: On Mon, Nov 11, 2013 at 11:07 AM, Prabath Siriwardena prab...@wso2.comwrote: On Mon, Nov 11, 2013 at 10:41 AM, Ishara Karunarathna isha...@wso2.comwrote: Hi, On Mon, Nov 11, 2013 at 9:58 AM, Prabath

Re: [Architecture] [Identity Server] Applications

joh...@wso2.com wrote: On Mon, Nov 11, 2013 at 1:01 PM, Prabath Siriwardena prab...@wso2.com wrote: On Mon, Nov 11, 2013 at 11:47 AM, Johann Nallathamby joh...@wso2.com wrote: Yes, we don't have to encrypt the consumer key, but still I feel we can use a different

Re: [Architecture] Access tokens are differ based on the scope?

Yes.. We cannot give the same access token for different scopes. +1 for fixing this. Thanks... Sent from my mobile device On Oct 25, 2013, at 5:29 PM, Asela Pathberiya as...@wso2.com wrote: Hi All, AFAIK, currently OAuth2 token endpoint returns the same access token for different

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

for the scenario where IS is behaving as a consumer. Regards, Venura On Tue, Oct 22, 2013 at 11:15 AM, Prabath Siriwardena prab...@wso2.comwrote: Why not we maintain all the ids from external CSP - against the externalid ? Then we do not need to worry about doing two calls.. Thanks regards

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

for the scenario where IS is behaving as a consumer. Regards, Venura On Tue, Oct 22, 2013 at 11:15 AM, Prabath Siriwardena prab...@wso2.comwrote: Why not we maintain all the ids from external CSP - against the externalid ? Then we do not need to worry about doing two calls.. Thanks regards

[Architecture] Handling SAML2 SSO Sessions

How do we handle SAML2 sessions now..? I believe we keep it in-memory.. Keep this in-memory won't scale - as these sessions suppose to live long.. and also won't be accessed frequently.. Can we use an LRU cache - and persist the SAML2 sessions..? Thoughts please.. Thanks Regards, Prabath

[Architecture] How do we hanlde SCIM id/externalid/userName ?

There are three use cases.. 1. SCIM consumer sends a provisioning request to IS - which is the SCIM CSP. 2. [1] Identity Server provisions the user to other CSPs 3. Adding user from the IS management console and provision the user to other connected CSP. How do we handle id/externalid/userName

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

, scimId etc). IMO externalId is not an useful attribute in the spec. [1] here there are some arguments on this. [1] http://www.infoq.com/articles/scim-data-model-limitations Please add something mission or wrong. Thanks, On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena prab...@wso2

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

at 4:53 AM, Prabath Siriwardena prab...@wso2.comwrote: When IS provisions users to other connected systems - are we maintaining the list of id's returned by each CSP...? IMO externaid is also useful. A given externalid could map to multiple id's returned by CSPs. Thanks regards, -Prabath

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

providers handle the request by taking the user name and identifying to which resource the operation should be applied. Regards, Venura On Tue, Oct 22, 2013 at 9:15 AM, Prabath Siriwardena prab...@wso2.comwrote: On Tue, Oct 22, 2013 at 3:09 PM, Ishara Karunarathna isha...@wso2.comwrote

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

, -Prabath On Tue, Oct 22, 2013 at 5:55 PM, Venura Kahawala ven...@wso2.com wrote: Hi, On Tue, Oct 22, 2013 at 10:17 AM, Prabath Siriwardena prab...@wso2.comwrote: On Tue, Oct 22, 2013 at 5:41 PM, Venura Kahawala ven...@wso2.com wrote: Hi, Also - how spec compliant - is it to do

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

-Type:application/json * https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215 * Regards, Venura On Tue, Oct 22, 2013 at 10:37 AM, Prabath Siriwardena prab...@wso2.comwrote: In that case its with an id - not a direct PUT to /Users. Its like /Users/id To sort out any confusion

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

.. We do two calls when we do outbound provisioning..? One to get the id and then the PUT Thanks regards, -Prabath Regards, Venura On Tue, Oct 22, 2013 at 11:05 AM, Prabath Siriwardena prab...@wso2.comwrote: But for outbound provisioning from IS we cannot do the same now - as we do

Re: [Architecture] Separating 'My Identity' functionality from management console

How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..? Thanks regards, -Prabath On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala ven...@wso2.com wrote: Hi, I'm now

Re: [Architecture] OAuth2 Scope and Resource Owner Validation

Thanks, -Suresh On Wed, Oct 2, 2013 at 2:47 AM, Prabath Siriwardena prab...@wso2.comwrote: +1 Currently IS and API-M use two different services for token validation. So - lets get rid-of this code duplication first and then work on the improvements... Thanks regards, -Prabath On Wed

Re: [Architecture] Why API - Manager always upper case the scope

. On Fri, Oct 4, 2013 at 7:25 AM, Prabath Siriwardena prab...@wso2.comwrote: This is done by the handler t/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/util/APIManagerOAuthCallbackHandler.java Scope is case sensitive - and when we issue a token against a provided

Re: [Architecture] OAuth2 Scope and Resource Owner Validation

+1 Currently IS and API-M use two different services for token validation. So - lets get rid-of this code duplication first and then work on the improvements... Thanks regards, -Prabath On Wed, Oct 2, 2013 at 11:05 AM, Johann Nallathamby joh...@wso2.com wrote: Currently the OAuth2 scopes

[Architecture] Extension points for Auth token issue and token validation services.

The requirement is to process the token issue request at the Key Manager before actually processing the request. Following two methods will be introduced to the org.wso2.carbon.identity.oauth2.OAuth2ServiceListener interface - and these will be invoked from the

Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

+1 for that.. Only downside - tenant is loaded not on demand.. Another approach is.. Currently the tenant is loaded by looking at the URL.. say for example - if the url says - /t/wso2.com - this will make wso2.com to be loaded if it is not loaded already. The issue with authentication is - we

Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

Won't it be late to load the tenant at this moment? As the changes needs to be checked out from the repo , for authentication to be successful, are we to hold the decision using some mechanism till the check out completes? This is the same behavior you see when you login to management

Re: [Architecture] Trusted Delegation using OAuth2 Tokens

Hi Sumedha, This needs to be better modeled after A Method of Bearer Token Redelegation and Chaining for OAuth 2 http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate And also - we should not provide a refresh token in

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

is the best method to overcome the SCEP vulnerability. On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena prab...@wso2.comwrote: I guess user challenge it self is not enough.. We also need to validate the SCEP request.. Thanks regards, -Prabath On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

any time it can be replaced with anything. Ideally which I believe this part needs to be handle by IS and MDM only communicate with it through the information provided at the deployment time. Regards, Dilshan On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena prab...@wso2.comwrote: Just

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

will be done based on the user challenge before it gets passed to it. The validation part is not done. Also there is a performance issue in the time taken enroll a device , Mayuran is working on that along with the validation. Thanks, -Shan On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena prab

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana sanj...@wso2.comwrote: Dilshan Prabath, should the SCEP server code ship with IS by default? Prabath I remember a long discussion about certificate issuing and distribution 3-4 years ago but don't think we ended up implementing yet .. is

  1   2   >