Re: [Architecture] User Store Manager Configuration UI - New Feature

On Fri, May 10, 2013 at 12:29 PM, Pradeep Fernando prad...@wso2.com wrote: Hi, After the first start up, UI will be the only way to edit the configuration (Except for go and change the storage). That limitation have negative points But the use of UI is to allow user to add a new

Re: [Architecture] User Store Manager Configuration UI - New Feature

On Mon, May 27, 2013 at 5:13 PM, Amila Suriarachchi am...@wso2.com wrote: On Mon, May 27, 2013 at 5:01 PM, Prabath Siriwardena prab...@wso2.comwrote: On Mon, May 27, 2013 at 4:04 PM, Amila Suriarachchi am...@wso2.comwrote: On Mon, May 27, 2013 at 3:06 PM, Prabath Siriwardena prab

Re: [Architecture] User Store Manager Configuration UI - New Feature

the nodes. 4. The deployer we write, needs to update the corresponding configuration in the RealmService. 5. Users already logged in should be forced to logout. Thanks regards, -Prabath On Thu, May 30, 2013 at 10:25 AM, Prabath Siriwardena prab...@wso2.comwrote: Nice slides.. :-) Please

Re: [Architecture] Auditing, reporting and statistics for identity features

Hi Sanjeewa, In API Manager - can we get stats without BAM integration ? Thanks regards, -Prabath On Mon, Jun 3, 2013 at 7:49 PM, Darshana Gunawardana darsh...@wso2.comwrote: Hi all, I have started on working $subject(as in our internal roadmap #602). Final outcome of this should be,

Re: [Architecture] Securing the passwords given in the tomcat connectors.

+1 Also we need to avoid keystores been configured in different places. Like datasources - we need to have key stores configured in a single place and reference those from other places.. Thanks regards, -Prabath On Sat, Jun 22, 2013 at 3:05 PM, Amila Suriarachchi am...@wso2.com wrote: hi,

Re: [Architecture] Synching Configurations across the clusters

(pvt) Ltd Mobile: +94779716248 On Fri, May 31, 2013 at 2:52 PM, Prabath Siriwardena prab...@wso2.com wrote: I guess dep sync based approach will solve these... Thanks regards, -Prabath On Fri, May 31, 2013 at 2:41 PM, Srinath Perera srin...@wso2.com wrote: Hi All

[Architecture] Bring all key store configurations to a single file { was : Re: Securing the passwords given in the tomcat connectors.}

On Mon, Jun 24, 2013 at 1:31 PM, Prabath Siriwardena prab...@wso2.comwrote: +1 Also we need to avoid keystores been configured in different places. Like datasources - we need to have key stores configured in a single place and reference those from other places.. Thanks regards, -Prabath

Re: [Architecture] Synching Configurations across the clusters

It has to maintain a order - you will authenticate a users in a chain - if the first fails it will go to the other. Thanks regards, -Prabath On Mon, Jul 1, 2013 at 3:01 PM, Amila Suriarachchi am...@wso2.com wrote: On Mon, Jul 1, 2013 at 2:38 PM, Prabath Siriwardena prab...@wso2.comwrote

Re: [Architecture] Synching Configurations across the clusters

stores. Azeez On Mon, Jul 1, 2013 at 2:38 PM, Prabath Siriwardena prab...@wso2.comwrote: Not quite right.. A given user sore cannot just exist on its own.. it has to maintain the order with others.. That needs to be maintain at the user-mgt.xml.. By breaking this in to separate user-store

Re: [Architecture] Synching Configurations across the clusters

Adding a user store is not as dynamic as adding a proxy or sequence.. thinking both in the same way is not quite right.. Thanks regards, -Prabath On Mon, Jul 1, 2013 at 2:54 PM, Amila Suriarachchi am...@wso2.com wrote: On Mon, Jul 1, 2013 at 2:38 PM, Prabath Siriwardena prab...@wso2

Re: [Architecture] Synching Configurations across the clusters

On Mon, Jul 1, 2013 at 3:22 PM, Amila Suriarachchi am...@wso2.com wrote: On Mon, Jul 1, 2013 at 3:08 PM, Prabath Siriwardena prab...@wso2.comwrote: Adding a user store is not as dynamic as adding a proxy or sequence.. thinking both in the same way is not quite right.. There are two

Re: [Architecture] Allow subscriber/admins to configure the accessToken expiry time.

On Fri, Jul 5, 2013 at 4:30 PM, Vijayaratha Vijayasingam rat...@wso2.comwrote: Hi all; Currently in the APIManager we provide an option in the identity.xml to configure the token validity period. But it is global level one time setting. *Scenario* If there is any theft in the tokens or

[Architecture] Selective user provisioning via SCIM

Currently when configure WSO2 IS to provision users to connected systems - it will provision all the users in it - whenever a user being added or updated. Its better to give the option to do this selectively.. This is the use case I am thinking of.. You can have a security gateway in DMZ which

Re: [Architecture] Multi-tenant AF user model

Had a brief chat with Dimuthu and I guess it's much cleaner to get rid of the magic user - with the introduction of organization concept in AF. The admin user account of the tenant it self can perform these operations... If we think about a multi-VPC deployment (a VPC per tenant) - we do not

Re: [Architecture] Encrypting Access/Refresh Tokens in OAuth Component

Please note that this solution only addresses 1 and 2. Not 3. I don't see addressing 3 is quite needed in our case. Thanks regards, -Prabath On Fri, Jul 26, 2013 at 3:35 PM, Prabath Siriwardena prab...@wso2.comwrote: On Fri, Jul 26, 2013 at 3:24 PM, Prabath Siriwardena prab...@wso2.comwrote

Re: [Architecture] Role based restriction for API resources/HTTP verbs in APIManager

Can we please arrange a design review for this. We discussed an Application concept in IS and we need to see how all these integrate together.. Thanks regards, -Prabath On Fri, Jul 26, 2013 at 3:34 PM, Vijayaratha Vijayasingam rat...@wso2.comwrote: Hi all; *Our requirement* Currently we

Re: [Architecture] Role based restriction for API resources/HTTP verbs in APIManager

Will be back on 2nd.. better after that... Thanks regards, -Prabath On Fri, Jul 26, 2013 at 3:43 PM, Sumedha Rubasinghe sume...@wso2.comwrote: +1. will schedule next week? On Fri, Jul 26, 2013 at 3:39 PM, Prabath Siriwardena prab...@wso2.comwrote: Can we please arrange a design review

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana sanj...@wso2.comwrote: Dilshan Prabath, should the SCEP server code ship with IS by default? Prabath I remember a long discussion about certificate issuing and distribution 3-4 years ago but don't think we ended up implementing yet .. is

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

/iPhoneOTAConfiguration/iPhoneOTAConfiguration.pdf On Sun, Aug 4, 2013 at 6:36 AM, Prabath Siriwardena prab...@wso2.comwrote: On Sat, Aug 3, 2013 at 9:04 PM, Sanjiva Weerawarana sanj...@wso2.comwrote: Dilshan Prabath, should the SCEP server code ship with IS by default? Prabath I remember a long

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

any time it can be replaced with anything. Ideally which I believe this part needs to be handle by IS and MDM only communicate with it through the information provided at the deployment time. Regards, Dilshan On Sun, Aug 4, 2013 at 7:09 AM, Prabath Siriwardena prab...@wso2.comwrote: Just

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

will be done based on the user challenge before it gets passed to it. The validation part is not done. Also there is a performance issue in the time taken enroll a device , Mayuran is working on that along with the validation. Thanks, -Shan On Sun, Aug 4, 2013 at 1:38 PM, Prabath Siriwardena prab

Re: [Architecture] SCEP Identity Server (was: Re: Mobile Device Management Architecture)

is the best method to overcome the SCEP vulnerability. On Mon, Aug 5, 2013 at 10:39 AM, Prabath Siriwardena prab...@wso2.comwrote: I guess user challenge it self is not enough.. We also need to validate the SCEP request.. Thanks regards, -Prabath On Mon, Aug 5, 2013 at 10:32 AM, Shanmugarajah

Re: [Architecture] Trusted Delegation using OAuth2 Tokens

Hi Sumedha, This needs to be better modeled after A Method of Bearer Token Redelegation and Chaining for OAuth 2 http://tools.ietf.org/id/draft-richer-oauth-chain-00.txt The grant type needs to be urn:ietf:params:oauth:grant_type:redelegate And also - we should not provide a refresh token in

Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

+1 for that.. Only downside - tenant is loaded not on demand.. Another approach is.. Currently the tenant is loaded by looking at the URL.. say for example - if the url says - /t/wso2.com - this will make wso2.com to be loaded if it is not loaded already. The issue with authentication is - we

Re: [Architecture] Issue at tenant user login in cluster mode - Mutiple user stores active

Won't it be late to load the tenant at this moment? As the changes needs to be checked out from the repo , for authentication to be successful, are we to hold the decision using some mechanism till the check out completes? This is the same behavior you see when you login to management

[Architecture] Extension points for Auth token issue and token validation services.

The requirement is to process the token issue request at the Key Manager before actually processing the request. Following two methods will be introduced to the org.wso2.carbon.identity.oauth2.OAuth2ServiceListener interface - and these will be invoked from the

Re: [Architecture] OAuth2 Scope and Resource Owner Validation

+1 Currently IS and API-M use two different services for token validation. So - lets get rid-of this code duplication first and then work on the improvements... Thanks regards, -Prabath On Wed, Oct 2, 2013 at 11:05 AM, Johann Nallathamby joh...@wso2.com wrote: Currently the OAuth2 scopes

Re: [Architecture] Why API - Manager always upper case the scope

. On Fri, Oct 4, 2013 at 7:25 AM, Prabath Siriwardena prab...@wso2.comwrote: This is done by the handler t/org.wso2.carbon.apimgt.keymgt/src/main/java/org/wso2/carbon/apimgt/keymgt/util/APIManagerOAuthCallbackHandler.java Scope is case sensitive - and when we issue a token against a provided

Re: [Architecture] OAuth2 Scope and Resource Owner Validation

Thanks, -Suresh On Wed, Oct 2, 2013 at 2:47 AM, Prabath Siriwardena prab...@wso2.comwrote: +1 Currently IS and API-M use two different services for token validation. So - lets get rid-of this code duplication first and then work on the improvements... Thanks regards, -Prabath On Wed

Re: [Architecture] Separating 'My Identity' functionality from management console

How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..? Thanks regards, -Prabath On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala ven...@wso2.com wrote: Hi, I'm now

[Architecture] Handling SAML2 SSO Sessions

How do we handle SAML2 sessions now..? I believe we keep it in-memory.. Keep this in-memory won't scale - as these sessions suppose to live long.. and also won't be accessed frequently.. Can we use an LRU cache - and persist the SAML2 sessions..? Thoughts please.. Thanks Regards, Prabath

[Architecture] How do we hanlde SCIM id/externalid/userName ?

There are three use cases.. 1. SCIM consumer sends a provisioning request to IS - which is the SCIM CSP. 2. [1] Identity Server provisions the user to other CSPs 3. Adding user from the IS management console and provision the user to other connected CSP. How do we handle id/externalid/userName

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

, scimId etc). IMO externalId is not an useful attribute in the spec. [1] here there are some arguments on this. [1] http://www.infoq.com/articles/scim-data-model-limitations Please add something mission or wrong. Thanks, On Mon, Oct 21, 2013 at 10:45 PM, Prabath Siriwardena prab...@wso2

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

at 4:53 AM, Prabath Siriwardena prab...@wso2.comwrote: When IS provisions users to other connected systems - are we maintaining the list of id's returned by each CSP...? IMO externaid is also useful. A given externalid could map to multiple id's returned by CSPs. Thanks regards, -Prabath

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

providers handle the request by taking the user name and identifying to which resource the operation should be applied. Regards, Venura On Tue, Oct 22, 2013 at 9:15 AM, Prabath Siriwardena prab...@wso2.comwrote: On Tue, Oct 22, 2013 at 3:09 PM, Ishara Karunarathna isha...@wso2.comwrote

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

, -Prabath On Tue, Oct 22, 2013 at 5:55 PM, Venura Kahawala ven...@wso2.com wrote: Hi, On Tue, Oct 22, 2013 at 10:17 AM, Prabath Siriwardena prab...@wso2.comwrote: On Tue, Oct 22, 2013 at 5:41 PM, Venura Kahawala ven...@wso2.com wrote: Hi, Also - how spec compliant - is it to do

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

-Type:application/json * https://localhost:9443/wso2/scim/Users/48f7cfe5-f0e3-4a67-af7e-d762aa9ab215 * Regards, Venura On Tue, Oct 22, 2013 at 10:37 AM, Prabath Siriwardena prab...@wso2.comwrote: In that case its with an id - not a direct PUT to /Users. Its like /Users/id To sort out any confusion

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

.. We do two calls when we do outbound provisioning..? One to get the id and then the PUT Thanks regards, -Prabath Regards, Venura On Tue, Oct 22, 2013 at 11:05 AM, Prabath Siriwardena prab...@wso2.comwrote: But for outbound provisioning from IS we cannot do the same now - as we do

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

for the scenario where IS is behaving as a consumer. Regards, Venura On Tue, Oct 22, 2013 at 11:15 AM, Prabath Siriwardena prab...@wso2.comwrote: Why not we maintain all the ids from external CSP - against the externalid ? Then we do not need to worry about doing two calls.. Thanks regards

Re: [Architecture] How do we hanlde SCIM id/externalid/userName ?

for the scenario where IS is behaving as a consumer. Regards, Venura On Tue, Oct 22, 2013 at 11:15 AM, Prabath Siriwardena prab...@wso2.comwrote: Why not we maintain all the ids from external CSP - against the externalid ? Then we do not need to worry about doing two calls.. Thanks regards

Re: [Architecture] Access tokens are differ based on the scope?

Yes.. We cannot give the same access token for different scopes. +1 for fixing this. Thanks... Sent from my mobile device On Oct 25, 2013, at 5:29 PM, Asela Pathberiya as...@wso2.com wrote: Hi All, AFAIK, currently OAuth2 token endpoint returns the same access token for different

Re: [Architecture] [Identity Server] Applications

Hi Johann, Please find comment inline... On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.com wrote: Hi Prabath, +1 for the concept. Some concerns and thoughts inline.. bear with me for my lengthy verbose arguments.. [?] On Mon, Nov 11, 2013 at 3:12 AM, Prabath Siriwardena

Re: [Architecture] [Identity Server] Applications

at 3:12 AM, Prabath Siriwardena prab...@wso2.comwrote: 1. What is an Application under the context of Identity Server ? Its a consumer of identity attributes, roles (and groups), authentication methods/ policies and authorization policies. In practice, this could be a web application,mobile

Re: [Architecture] [Identity Server] Applications

On Mon, Nov 11, 2013 at 10:41 AM, Ishara Karunarathna isha...@wso2.comwrote: Hi, On Mon, Nov 11, 2013 at 9:58 AM, Prabath Siriwardena prab...@wso2.comwrote: Hi Johann, Please find comment inline... On Mon, Nov 11, 2013 at 9:35 AM, Johann Nallathamby joh...@wso2.comwrote: Hi Prabath

Re: [Architecture] [Identity Server] Applications

On Mon, Nov 11, 2013 at 11:26 AM, Ishara Karunarathna isha...@wso2.comwrote: On Mon, Nov 11, 2013 at 11:07 AM, Prabath Siriwardena prab...@wso2.comwrote: On Mon, Nov 11, 2013 at 10:41 AM, Ishara Karunarathna isha...@wso2.comwrote: Hi, On Mon, Nov 11, 2013 at 9:58 AM, Prabath

Re: [Architecture] [Identity Server] Applications

joh...@wso2.com wrote: On Mon, Nov 11, 2013 at 1:01 PM, Prabath Siriwardena prab...@wso2.com wrote: On Mon, Nov 11, 2013 at 11:47 AM, Johann Nallathamby joh...@wso2.com wrote: Yes, we don't have to encrypt the consumer key, but still I feel we can use a different

Re: [Architecture] [Identity Server] Applications

IdP always issues claims from its own dialect. If we want application specific claims - that is a functionality of the resource STS. Thanks regards, -Prabath On Mon, Nov 11, 2013 at 3:59 AM, Asela Pathberiya as...@wso2.com wrote: On Mon, Nov 11, 2013 at 4:18 PM, Prabath Siriwardena prab

Re: [Architecture] [Identity Server] Applications

IdP always issues claims from its own dialect. If we want application specific claims - that is a functionality of the resource STS. Thanks regards, -Prabath On Mon, Nov 11, 2013 at 5:29 PM, Asela Pathberiya as...@wso2.com wrote: On Mon, Nov 11, 2013 at 4:18 PM, Prabath Siriwardena prab

Re: [Architecture] Security mediators for ESB

Ideally it should be a handler - not a mediator... This should get executed before the message comes to the inSequence. Thanks regards, -Prabath On Wed, Nov 13, 2013 at 10:24 PM, Miyuru Wanninayaka miy...@wso2.comwrote: Hi all, Currently most security stuff handled at rampart level (except

Re: [Architecture] Security mediators for ESB

within ESB language itself, it will be an added plus. (This is like we have to go to Axis2 level to configure transports now). --Srinath On Thu, Nov 14, 2013 at 1:23 AM, Prabath Siriwardena prab...@wso2.comwrote: Ideally it should be a handler - not a mediator... This should get executed

Re: [Architecture] C5 user core API high-level design

A design review scheduled on 10th Dec - Tuesday.. Thanks regards, -Prabath On Sat, Dec 7, 2013 at 1:01 PM, Prabath Siriwardena prab...@wso2.comwrote: Identity team was working on designing the user core API during last week. Please find the high-level design attached. Each Tenant

[Architecture] [C5] Should we use api in the API package name ?

Should we use api in the API package name ? I think we should not.. Currently we have org.wso2.carbon.user.api, org.wso2.carbon.regostry.api and possibly many more.. I think should avoid putting API in the package name - and it should be quite obvious.. For example, in Java - in JDBC API [1] -

Re: [Architecture] [C5] Should we use api in the API package name ?

, 2013 at 6:00 PM, Prabath Siriwardena prab...@wso2.comwrote: Should we use api in the API package name ? I think we should not.. Currently we have org.wso2.carbon.user.api, org.wso2.carbon.regostry.api and possibly many more.. I think should avoid putting API in the package name

Re: [Architecture] Meeting Notes { was : Re: Invitation: Carbon 5 User API Design Review}

joh...@wso2.com wrote: Hi Prabath, One more suggestion I wanted to tell and missed is, what if we have the Identifier classes of each entity as a static nested class of the corresponding entity? This way it will make the packaging more neat. On Thu, Dec 19, 2013 at 1:26 PM, Prabath

Re: [Architecture] Meeting Notes { was : Re: Invitation: Carbon 5 User API Design Review}

, Prabath Siriwardena prab...@wso2.comwrote: A nested class should exist only to serve its enclosing class... if the purpose of it goes beyond that - then it should be a top level one. For that reason, I did't want to have Identifier classes as nested classes... I was only thinking about

Re: [Architecture] Provide support for self signup for tenants' APIStores

I think the right approach is to use [1]. UserSelfRegistrationService will add users to the Identity role by default. But, if you want to add the user to the subscriber role, you can make it configurable. Also - with UserSelfRegistrationService - you can specify to which user stores you need to

Re: [Architecture] Invitation: APIM Progress update @ Mon Jan 20 11:30pm - Tue Jan 21, 2014 12:30am (samee...@wso2.com)

On Tue, Jan 21, 2014 at 5:23 PM, Lalaji Sureshika lal...@wso2.com wrote: Hi, Addition to Tanya's notes,following features/improvements noted as we expect to complete from ES side [sorry,if I repeat few..],while Sameera is working on adding APIM related custom pages and functionalties

Re: [Architecture] Provide support for self signup for tenants' APIStores

in the identity.xml. I o not think we can configure multiple roles (multiple SignUpRole elements) , If not, we can fix it as well Thanks. Asela. Thanks; On Wed, Jan 22, 2014 at 2:30 PM, Lalaji Sureshika lal...@wso2.comwrote: Hi, On Wed, Jan 22, 2014 at 2:04 PM, Prabath Siriwardena

Re: [Architecture] Provide support for self signup for tenants' APIStores

+1 Thanks regards, -Prabath On Wed, Jan 22, 2014 at 7:29 PM, Lalaji Sureshika lal...@wso2.com wrote: Hi, On Wed, Jan 22, 2014 at 5:36 PM, Prabath Siriwardena prab...@wso2.comwrote: If this is per tenant - you cannot do it via a configuration in the identity.xml... Ideally the tenant

Re: [Architecture] Provide support for self signup for tenants' APIStores

, Prabath Siriwardena prab...@wso2.comwrote: If this is per tenant - you cannot do it via a configuration in the identity.xml... Ideally the tenant admin should have an option in the UI to enable/disable SelfSignUp and if it is enabled he should be able to specify the default role or the role list

Re: [Architecture] SSO IDP Proxy Application + SDK

Great..!!! Can we also start with iOS app...? Also - can you please test this with IS 4.1.0..? Thanks regards, -Prabath On Thu, Mar 27, 2014 at 4:31 PM, Gayan Gunawardana ga...@wso2.com wrote: Hi All, Still code with on going development, but any body who interesting can try it Android

Re: [Architecture] OpenID connect ID Token Implementation

+1 For JWS and JWE you can directly use Nimbus[1] java library which is released under Apache 2.0 license.. [1]: http://connect2id.com/products/nimbus-jose-jwt/download Thanks regards, -Prabath On Sat, Sep 6, 2014 at 11:22 PM, Gayan Gunawardana ga...@wso2.com wrote: Hi, Currently WSO2

Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers

I think its true to some extent that some OAuth authorization servers (AS) use their own configuration parameters and also some what deviate from the OAuth specification. What you can do is - keep a basic OAuth 1.0 and 2.0 modules and if you see a given AS has changed the behavior - extend from

Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers

deviates from the OAuth 2.0 Bearer Token Profile. Following is a request to the LinkedIn UserInfo endpoint... curl https://api.linkedin.com/v1/people/~?oauth2_access_token=AQVKwPCyJoTDl9CZl5ID9S9hig9qd0P Thanks regards, -Prabath On Thu, Sep 25, 2014 at 11:02 AM, Prabath Siriwardena prab...@wso2

Re: [Architecture] ESB iPAAS - OAuth Authorization for different providers

, Ravindra Ranwala ravin...@wso2.com wrote: Hi All, Thanks a lot for the valuable feedback given. We'll consider all these things when we implement this solution in our iPAAS. Regards, On Thu, Sep 25, 2014 at 11:08 AM, Prabath Siriwardena prab...@wso2.com wrote: According to the OAuth 2.0

Re: [Architecture] API Manager Authorization Server Decoupling

Quick feedback - please do not use DTO in the name: ExtKeyMgtAppInfoDTO Thanks regards, -Prabath On Wed, Oct 15, 2014 at 6:27 PM, Sanjeewa Malalgoda sanje...@wso2.com wrote: Hi All, Here is a brief update on status of External Key Management server -APIM integration implementation. We will

Re: [Architecture] [BAM] [Security] Securing REST API

If you say Basic Auth is easy - then there is no difference in using OAuth too:-) Basically the resource owner credentials grant type was introduced in OAuth to migrate clients from Basic/Digest authentication into OAuth... By looking at the use case - its clearly something to do with the

Re: [Architecture] [BAM] [Security] Securing REST API

+1 for using OAuth.. Please also think of the cost of maintaining and provisioning keys between servers in a clustered setup and the requirement of have an OAuth authorization server. Please see the approach suggested here [1] self-issued self-contained access tokens. This approach reduces all

Re: [Architecture] POODLE Vulnerability (SSL 3.0) in WSO2 Carbon 3.0 Products

Please find the details at http://blog.facilelogin.com/2014/10/poodle-attack-and-disabling-ssl-v3-in_69.html Thanks regards, -Prabath On Thu, Oct 30, 2014 at 9:26 PM, Niranda Perera nira...@wso2.com wrote: Hi all, This follows Prabath's bolgpost on POODLE Attack and Disabling SSL V3 in

Re: [Architecture] [RFC] Identity Mediation Language (IML) - Requirements Specification

[resending with less number of recipients - since this was bounced back previously due to that] On Sat, May 9, 2015 at 5:32 PM, Prabath Siriwardena prab...@wso2.com wrote: Please find the details at http://blog.facilelogin.com/2015/05/identity-mediation-language-iml.html Appreciate your

[Architecture] Service versioning for Carbon admin services

Admin service WSDL fix the contract between the actual service implementation and the client. If you take ServiceProviderRegistration service in IS - then the Service Provider Registration UI is one client - and also App Manager is another client. There can be many clients as well. Right now we

[Architecture] Using renewal/cancel WS-Trust bindings to manage SAML tokens issued by SAML 2.0 Web SSO profile

AFAIK the $subject is not working today. Can we please get that fixed...? This would lead us to many more useful integration patterns... -- Thanks Regards, Prabath Twitter : @prabath LinkedIn : http://www.linkedin.com/in/prabathsiriwardena Mobile : +1 650 625 7950

Re: [Architecture] [RFC] Identity Mediation Language (IML) - Requirements Specification

On Sat, May 9, 2015 at 9:17 PM, Prabath Siriwardena prab...@wso2.com wrote: [resending with less number of recipients - since this was bounced back previously due to that] On Sat, May 9, 2015 at 5:32 PM, Prabath Siriwardena prab...@wso2.com wrote: Please find the details at http

[Architecture] [Identity Server] FIDO U2F Implementation Considerations

Please have a look at [1] - if we have not already... Pavithra, let's have test cases based on the doc... [1]: https://fidoalliance.org/specs/fido-u2f-v1.0-ps-20141009/fido-u2f-implementation-considerations-ps-20141009.pdf -- Thanks Regards, Prabath Twitter : @prabath LinkedIn :

Re: [Architecture] Switching to JAAS for Carbon 5?

Hi Azeez, Yes - we discussed to implement this for Carbon 5 with the new UM API design. We would need someone to get started on this... Thanks regards, -Prabath On Tue, Jul 14, 2015 at 3:08 AM, Afkham Azeez az...@wso2.com wrote: Hi Prabath, What do you think about $subject? Can we ditch the

[Architecture] Workflow Implementation in IS 5.1.0

It looks like still there are some confusions regarding IS workflow implementation. So, thought of sharing my thoughts on the design - and hopefully this be helpful to clear out the doubts. AFAIK - the framework for the following is already implemented. Basic design principals. 1. Simplicity.

Re: [Architecture] Workflow Implementation in IS 5.1.0

BTW yes - lets have a discussion on this again - because this is not just IS thing - and can be used by any other product which needs to have workflow support.. Thanks regards, -Prabath On Tue, Jul 14, 2015 at 1:07 PM, Prabath Siriwardena prab...@wso2.com wrote: Hi Suemdha, We discussed

Re: [Architecture] Workflow Implementation in IS 5.1.0

. - *Isabelle Mauny* VP, Product Management - WSO2, Inc. - http://wso2.com/ On Tue, Jul 14, 2015 at 6:22 PM, Prabath Siriwardena prab...@wso2.com wrote: It looks like still there are some confusions regarding

Re: [Architecture] Workflow Implementation in IS 5.1.0

PM, Sumedha Rubasinghe sume...@wso2.com wrote: Prabath, I think this has some overlaps and improvements compared to what we have done for API Manager about 2 years ago. Let's have a discussion on how to bring best of both worlds. On Wed, Jul 15, 2015 at 12:49 AM, Prabath Siriwardena prab

Re: [Architecture] Workflow Implementation in IS 5.1.0

to be compatible with the corresponding workflow template... Thanks regards, -Prabath Regards, Chathura On Wed, Jul 15, 2015 at 1:42 AM, Prabath Siriwardena prab...@wso2.com wrote: BTW yes - lets have a discussion on this again - because this is not just IS thing - and can be used by any other

Re: [Architecture] [IS] Service Provider/Identity Provider file base configuration in clustered environment

I think one common problem we need to address is to deploy service providers/ identity providers across tenants... If we use a file based approach - we should only use that. Do we have the registry-based dep-sync working now..? Also -1 to do any of the changes to 5.1.0 - its already months

Re: [Architecture] [AppM] Secured download links for mobile applications

Hi Chathura, I guess both your use cases fall into them same. Both of the scenarios need authentication. The first scenario differs from the second based on the person who generates the token. In the first scenario - the one who logs into the App Manager - pushes the download link to a set of

Re: [Architecture] Workflow Implementation in IS 5.1.0

, either we have to design workflows without having any dependencies among tasks or we should support restrictions on workflow templates (e.g. if task B is included then task A has to be included). Regards, Chathura On Wed, Jul 15, 2015 at 1:42 AM, Prabath Siriwardena prab...@wso2.com wrote

Re: [Architecture] Digest authentication for secured endpoints in API Manager

Hi Nuwan, Yes.. I was referring to the inbound traffic... BTW do you see a real use for this outbound with Digest Auth..? I have not seen many systems using this.. Thanks & regards, -Prabath On Thu, Sep 3, 2015 at 4:58 AM, Nuwan Dias wrote: > Hi Prabath, > > You're referring

Re: [Architecture] [IS][Workflow] Handling Delete Request Operation Associated with Workflows

I guess the question here is related to deleting a workflow request itself - and as if I understood correctly from your description at the moment its user based. Only the user who initiate the workflow request can delete it ? This looks like a limitation.. Nandika/Chathura, WDYT..? Thanks &

Re: [Architecture] [IS][Workflow] Two separate URL to deploy artifact and send request to BPS

How about a scenario where BPS running with worker/manager separation..? In that case we deploy it to the management node and in runtime requests go through the worker nodes... Thanks & regards, -Prabath On Tue, Sep 22, 2015 at 11:13 PM, Harsha Thirimanna wrote: > Hi All, >

Re: [Architecture] Improvement in Role based content filtering in WSO2 DSS

On Mon, Sep 21, 2015 at 8:44 PM, Rajith Vitharana <raji...@wso2.com> wrote: > Hi Prabath, > > Sorry I missed the mail, yes it would be great if we can talk about this > further. > > > > On Tue, Sep 22, 2015 at 1:54 AM, Prabath Siriwardena <prab...@wso2.c

Re: [Architecture] [IDENTITY-3352] SCIM Dumb Mode Outbound Provisioning

+1 Thanks & regards, -Prabath On Mon, Sep 21, 2015 at 8:46 PM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Prabath, > > On Mon, Sep 21, 2015 at 8:25 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> >> >> On Mon, Sep 21, 2015 a

Re: [Architecture] [IDENTITY-3352] SCIM Dumb Mode Outbound Provisioning

On Mon, Sep 21, 2015 at 12:49 AM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi Prabath, > > On Mon, Sep 21, 2015 at 12:09 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> It looks like from the architecture, whether its a dumb or smart is a &

[Architecture] Plug-in custom inbound authenticators

At the moment you can write custom authenticators and plug that into the system - and it would be specific endpoint to the service provider. But, the challenge adding SP specific configurations - at the moment the IS Service Provider does not pick custom inbound authenticator configurations. I

Re: [Architecture] Improvement in Role based content filtering in WSO2 DSS

If I understand your requirement correctly, this is about a federation scenario, where users are not under the domain of DSS. I guess we need to fix couple of things here.. When I last looked into DSS - the way the DSS picks the username is from the UT header - and the DS must be secured with UT

Re: [Architecture] [IS] [C5] Check Whether User Exist in User Stores

This seems to be a common requirement and its better to provide an optimized operation for this.. even at the REST API level ? Do we have one in SCIM? During the user sign up process - people need to see whether the username is picked by the user is available before asking for the details..

Re: [Architecture] [IS] [C5] Check Whether User Exist in User Stores

But.. this is returning back the whole user object...? Thanks & regards, -Prabath On Wed, Feb 1, 2017 at 2:41 AM, Gayan Gunawardana <ga...@wso2.com> wrote: > Hi Prabath, > > On Wed, Feb 1, 2017 at 1:47 AM, Prabath Siriwardena <prab...@wso2.com> > wrote: &g

Re: [Architecture] Account Lock/Disable Feature in IS 6.0.0

Hi Isura, Please find my comment inline... On Fri, Jan 20, 2017 at 2:02 AM, Isura Karunaratne wrote: > Hi all, > > > We are working on implementing account lock/disable features for IS 6.0.0. > > *Account Lock: * > >- User *must not *be able to login to the system. >-

Re: [Architecture] [Dev] [IS 6.0.0] [User Portal] Challenge Questions in Self sign-up page of user portal

Yes.. +1 for keeping this feature... Thanks & regards, -Prabath On Wed, Jan 18, 2017 at 10:05 PM, Johann Nallathamby wrote: > > > On Thu, Jan 19, 2017 at 10:42 AM, Isura Karunaratne > wrote: > >> Hi, >> >> In my opinion, admin defined security questions are

Re: [Architecture] Applying Machine Learning in Security - A Survey

Thanks for sharing! Will go through this... Thanks & regards, -Prabath On Wed, Mar 8, 2017 at 9:28 PM, Srinath Perera wrote: > Found from https://www.oreilly.com/ideas/building-machine- > learning-solutions-that-can-withstand-adversarial-attacks > > Look very interesting > >

Re: [Architecture] A Claim MUST have a Issuer

+1 for issuer - but please plan this post IS 6.0.0 Thanks & regards, -Prabath On Tue, Mar 7, 2017 at 11:16 AM, Johann Nallathamby wrote: > > > On Tue, Mar 7, 2017 at 2:12 PM, Ishara Karunarathna > wrote: > >> Hi Johan, >> >> >> >> On Mon, Feb 27, 2017 at

[Architecture] Force Delete Identity Providers

At the moment we can't delete an identity provider, if its associated with one or more service providers. Also - for the user there is no way to find out the associated service providers for a given identity provider - without going through each and every service provider config. This is fine

Re: [Architecture] Distinguish between local and federated users in oauth tables

ussion[1] related this for SAML bearer grant earlier as > well. I think we could consider that improvement along with this fix. > > WDYT? > > > [1] [Dev] Validate user against given user store and save correct user > domain in saml2-bearer grant type > > On Wednesday, May 17,

Re: [Architecture] Force Delete Identity Providers

On Thu, May 18, 2017 at 12:09 AM, Ishara Karunarathna <isha...@wso2.com> wrote: > Hi, > > On Wed, May 17, 2017 at 10:14 PM, Prabath Siriwardena <prab...@wso2.com> > wrote: > >> At the moment we can't delete an identity provider, if its associated >> with on

  1   2   >