Hi Indunil, In conclusion this will introduce "Local and Outbound Authentication Configuration" to resident IDP UI and that will be the default authentication sequence for tenant . Is my understanding correct ? Any way this will be very useful because some organizations don't want to change their authentication flaw based on service provider + very difficult to work with current file bases default SP.
Thanks, Gayan On Tue, Sep 4, 2018 at 10:22 PM Indunil Upeksha Rathnayake <indu...@wso2.com> wrote: > Hi, > > On Tue, Sep 4, 2018 at 9:33 PM, Indunil Upeksha Rathnayake < > indu...@wso2.com> wrote: > >> Hi, >> >> WSO2 Identity Server is currently capable of allowing a pre-configured >> default authentication sequence with multi step or multi option >> authentication, which can be globally applied for any of the service >> provider. >> >> As per the current implementation of IS, there is a file based SP which >> is considered as the default SP of IS >> (<IS_HOME>/repository/conf/identity/service-providers/default.xml). After >> IS 5.0.0, in order to link the protocol specific applications to service >> provider concept, we have introduced this default file based SP. So that, >> for an inbound request, if there is no SP configurations can be found, the >> default SP of IS will be considered. For a SP which is configured with >> default authentication type as follows, we use local and outbound >> authentication configuration of the default SP of IS. >> >> >> >> There are several drawbacks in current approach considering following >> business use cases. >> >> 1. Capability to have an organizational wise default authentication >> sequence which should be applicable for all the applications in an >> organization. >> 2. In the default authentication, apart from multi steps or multi >> options, have secure and flexible form of authentication where we need to >> validate multiple factors to determine the authenticity of a login >> attempt, >> before granting access to a resource. >> 3. Furthermore, have support to do modifications to the default >> authentication sequence in a user friendly manner, rather using file based >> approach. >> >> >> In consideration of above use cases, the suggested approach is to include >> following improvements to the current implementation. >> >> *Tenant specific default authentication sequence* >> >> - Local and outbound authentication configuration in default file >> based SP will be considered as the global default authentication sequence. >> - Provide support to have tenant wise default authentication >> sequences rather only a global sequence. So that, the global default >> authentication sequence can be modified and use tenant wise. >> - All the Service providers will be supporting new tenant specific >> default authentication chain. If default authentication type is selected >> for a SP, use the tenant specific default authentication configuration if >> exists, or use the global authentication configuration. >> >> As further improvements, may include option to select already configured > adaptive authentication script in an SP as the tenant default authentication > sequence. So that will be override the existing tenant default sequence. > > *Adaptive authentication support for default authentication sequence* >> >> - Provide capability to include adaptive authentication scripts in >> the default authentication chain. >> >> *Update default authentication sequence from UI* >> >> - Rather managing file based default authentication configuration, >> include capability to do modifications from management console. >> - Include capability to update the default authentication >> configuration from resident IDP UI. >> - The configurations will be initially loaded to UI, from file based >> default SP and after a modification, those will be stored as resident IDP >> meta data (i.e. IDP_METADATA table). >> - Configuring adaptive authentication scripts from UI will be more >> user friendly, since we can refer adaptive authentication templates as >> well. >> >> >> Really appreciate your suggestions and comments on this approach. >> >> Thanks and Regards >> -- >> Indunil Upeksha Rathnayake >> Senior Software Engineer | WSO2 Inc >> Email indu...@wso2.com >> Mobile 0772182255 >> > > > > -- > Indunil Upeksha Rathnayake > Senior Software Engineer | WSO2 Inc > Email indu...@wso2.com > Mobile 0772182255 > _______________________________________________ > Architecture mailing list > Architecture@wso2.org > https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture > -- Gayan
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
