Re: [Architecture] [RRT] XACML based scope validator (during OAuth2 token validation)

*[-IAM, RRT]* On Mon, Jan 15, 2018 at 8:13 PM, Johann Nallathamby wrote: > Hi Senthalan, > > Did you check [1]? In this feature *@Isuranga* implement XACML policy to > evaluate the permission tree. For this he had to come up with a policy, > that defined a custom function. > >

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

Hi Pamoda, Authentication history is a broad term. How do we plan to identify exceptions? thanks, Dimuthu On Mon, Jan 15, 2018 at 8:04 PM, Johann Nallathamby wrote: > *[-IAM, RRT]* > > Apart from the business transaction value, following factors can be > considered for risk

Re: [Architecture] [RRT] XML, JSON, Shema validation threat protectors in APIM 2.1.x

Hi Pls provide the diff of the changes you have done. @ESB Team / PPT experts, since there are PPT level changes you need keep watch on performance impact, memory blueprint impact, how the heap usage varies per message size since (smallest to the largest) + per how the behavior for complex

Re: [Architecture] [RRT] XACML based scope validator (during OAuth2 token validation)

Hi Senthalan, Did you check [1]? In this feature *@Isuranga* implement XACML policy to evaluate the permission tree. For this he had to come up with a policy, that defined a custom function. In the above feature if you replace permission with OAuth2 scopes (which is also a representation of

[Architecture] Password Rotation Policy Authenticator

Hi all, I have started working on a Password Rotation Policy Authenticator for the Identity Server. Currently, there is an authenticator [1] which can be used to force the user to change the password. However, it does not support the following requirements on its own. - Force the user to

Re: [Architecture] [MB4] Restful Admin API's for Message Broker

On Fri, Jan 12, 2018 at 9:35 AM, Asitha Nanayakkara wrote: > Hi all, > > Taking all the concerns discussed in to account I did some updates on the > design. > > With this design, I'll be exposing the exchanges, bindings, queues, and > consumers. This is to avoid confusion in

Re: [Architecture] Password Rotation Policy Authenticator

Hi Nadun, On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva wrote: > Hi all, > > I have started working on a Password Rotation Policy Authenticator for the > Identity Server. > > Currently, there is an authenticator [1] which can be used to force the > user to change the

Re: [Architecture] Federated IdP Initiated Logout

On Mon, Jan 15, 2018 at 2:39 PM, Rasika Perera wrote: > Hi Dimuthu, > > Recently, we did a similar setup, which involves a Federated IDP of OIDC. > All internal apps configured with SAML SSO. Login flow worked smoothly with > oidc authenticator; however external apps initiated

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

On Tue, Jan 16, 2018 at 8:13 AM, Prakhash Sivakumar wrote: > On Mon, Jan 15, 2018 at 8:28 PM, Dimuthu Leelarathne > wrote: > >> Hi Pamoda, >> >> Authentication history is a broad term. How do we plan to identify >> exceptions? >> > As authentication

Re: [Architecture] [RRT] XACML based scope validator (during OAuth2 token validation)

Hi Johann, Thanks for the feedback. Currently, I am checking that feature. According to my understanding, this feature will be useful to validate the token scopes against resource scopes. As this validation is done by JDBCScopeValidator and my implementation will be parallel to it (IS allows

Re: [Architecture] Password Rotation Policy Authenticator

On Tue, Jan 16, 2018 at 11:16 AM, Nadun De Silva wrote: > Hi, > > At the moment the authenticator only has the *"password expiration time > period"* in the password expiration policy. > > So I can start off by altering the authenticator to publish the following > to analytics >

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

Hi all, We can also consider the MAC address or some machine ID of last successful login as well. *i.e I usually login to my personal Gmail using my phone. If I use my MAC machine suddenly, google sends an email if this is you. * Also previous success login location is also important. *i.e If

Re: [Architecture] Password Rotation Policy Authenticator

Hi Nadun, On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva wrote: > Hi all, > > I have started working on a Password Rotation Policy Authenticator for the > Identity Server. > > Currently, there is an authenticator [1] which can be used to force the > user to change the

Re: [Architecture] Password Rotation Policy Authenticator

Hi Prakash, On Tue, Jan 16, 2018 at 9:49 AM, Prakhash Sivakumar wrote: > Hi Nadun, > > On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva wrote: > >> Hi all, >> >> I have started working on a Password Rotation Policy Authenticator for >> the Identity Server. >>

Re: [Architecture] Password Rotation Policy Authenticator

On Tue, Jan 16, 2018 at 11:02 AM, Nadun De Silva wrote: > Hi Prakash, > > On Tue, Jan 16, 2018 at 9:49 AM, Prakhash Sivakumar > wrote: > >> Hi Nadun, >> >> On Mon, Jan 15, 2018 at 9:01 PM, Nadun De Silva wrote: >> >>> Hi all, >>> >>> I have

Re: [Architecture] [Feature] Storing the application certificate in the database.

Hi Rushmin/ Shazni, +1 for storing the certificates in the database. Regarding the User Experience aspected discussed above, IMHO I think its better to provide both the option where a user can select the file as in uploading a file and same as allowing user to input the certificate content into

[Architecture] Cassandra Table Extension implementations

Hi All, We are implementing a Cassandra table extension that enables the Siddhi developers to persist events in Cassandra stores. Following operations are capable through this extension. 1. Define a Cassandra table 2. Insert events into Cassandra table 3. Read events from Cassandra table 4. Check

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

Hi Hasitha, There is a question about MAC address, which is not available beyond an IP router. What we do is browser fingerprinting with a cookie or something. *>> i.e I usually login to my personal Gmail using my phone. If I use my MAC machine suddenly, google sends an email if this is you. * IS

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

Hi Ruwan, On Tue, Jan 16, 2018 at 9:39 AM, Ruwan Abeykoon wrote: > Hi Hasitha, > There is a question about MAC address, which is not available beyond an IP > router. What we do is browser fingerprinting with a cookie or something. > > *>> i.e I usually login to my personal

Re: [Architecture] Password Rotation Policy Authenticator

Hi, At the moment the authenticator only has the *"password expiration time period"* in the password expiration policy. So I can start off by altering the authenticator to publish the following to analytics - The password expiration time period config change - The password changed event

Re: [Architecture] Password Rotation Policy Authenticator

Hi Dimuthu, I would suggest storing the expiration policy in IS side. How and where this can be stored yet to be discussed. For the time being, we can play around registry for quick start( but registry will go away soon) IS needs to emit an event towards analytics upon any change in the policy.

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

Hi Pamoda, Here are some of my thoughts, and not in order or organized. User Behavior analytics (*UBA*) - Implement multi-dimensional clustering (this will detect general user behaviours. Not of an individual) - Implement clickstream analytics (This will have knowledge of

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

On Mon, Jan 15, 2018 at 8:28 PM, Dimuthu Leelarathne wrote: > Hi Pamoda, > > Authentication history is a broad term. How do we plan to identify > exceptions? > > thanks, > Dimuthu > > On Mon, Jan 15, 2018 at 8:04 PM, Johann Nallathamby > wrote: > >> *[-IAM,

Re: [Architecture] Identity Server 6

Hi Jørgen, Please see my inline responses below. On Sat, Jan 13, 2018 at 12:13 AM, Info fra IDconnect wrote: > Hi Rushmin, > > > > Thanks for the swift reply. > > > > We are in the final decision phase on deciding technology for a platform > delivering Identity management as

[Architecture] Federated IdP Initiated Logout

Hi All, Please consider the below scenario. ​ When the Federated IdP sends the logout request we have to logout the user from the WSO2IS. The proposed POC is as follows. - 1 & 4 are OAuth flows - 2 & 3 are SAML flows Participants of the discussion: Malithi, Thanuja and Dimuthu For the POC

Re: [Architecture] Federated IdP Initiated Logout

On Mon, Jan 15, 2018 at 1:32 PM, Dimuthu Leelarathne wrote: > Hi All, > > Please consider the below scenario. > > > ​ > > > When the Federated IdP sends the logout request we have to logout the user > from the WSO2IS. The proposed POC is as follows. > > - 1 & 4 are OAuth

Re: [Architecture] Federated IdP Initiated Logout

Hi Dimuthu, Recently, we did a similar setup, which involves a Federated IDP of OIDC. All internal apps configured with SAML SSO. Login flow worked smoothly with oidc authenticator; however external apps initiated logout(inbound logout requests from OIDC-to-SAML) and internal apps initiated

Re: [Architecture] Federated IdP Initiated Logout

Hi, On Mon, Jan 15, 2018 at 1:32 PM, Dimuthu Leelarathne wrote: > Hi All, > > Please consider the below scenario. > > > ​ > > > When the Federated IdP sends the logout request we have to logout the user > from the WSO2IS. The proposed POC is as follows. > > - 1 & 4 are OAuth

Re: [Architecture] [RRT]Calculating a risk score for authentication requests

Hi Pamoda On Mon, Jan 15, 2018 at 4:50 PM, Pamoda Wimalasiri wrote: > Hi all, > > I'm currently working on a risk score calculation method for the > authentication request of IAM. I'm still doing the background research on > the behavior of other similar approaches [1] and the

[Architecture] [RRT]Calculating a risk score for authentication requests

Hi all, I'm currently working on a risk score calculation method for the authentication request of IAM. I'm still doing the background research on the behavior of other similar approaches [1] and the technologies that can be used. According to my research, the risk score can be calculated based