In the identity server, a service provider represents the application which uses the Identity Server as an Identity Provider.
In some cases, Identity Server needs to validate the identity of the application to make sure the authentication/authorization requests are coming from the legitimate application. *How is this done now?* The application certificate should be imported to the keystore file and the alias should be mentioned in the service provider so that the service provider can validate the signature against the certificate identified by that alias. *Why is this needs to be improved?* 1) keystore file resides in the file system. Therefore in a clustered deployment, either the certificate should be added to all the nodes or the keystore file should be synced. 2) The server needs a restart after importing a certificate. *What is the solution?* The certificate should be stored in the database so that it is shared and a restart is not needed. *High-level design/UX decisions* 1) The SP UI will have a new text area to enter the certificate in PEM format. 2) The certificate will be stored in the SP_APP table. A new column will be added. *REASON*: Service provider --> certificate is a 1:1 relationship. 3) An interface will be introduced to abstract out the certificate handling of the SP. Two implementations will be there to support the current behavior and the proposed behavior. 4) Current behavior will be deprecated. 5) Choosing between the two implementations not explicit for the users, so a configuration will not be provided. If a certificate is not available in the database Identity Server will fall back to the current approach. *REASON*: 1. This feature is about changing an internal implementation. So the users should not worry about it. Please share your thoughts. -- *Best Regards* *Rushmin Fernando* *Technical Lead* WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware mobile : +94775615183
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
