On Mon, Aug 8, 2016 at 5:43 PM, Ishara Karunarathna <isha...@wso2.com> wrote:
> Hi Rushmin, > > On Mon, Aug 8, 2016 at 5:26 PM, Rushmin Fernando <rush...@wso2.com> wrote: > >> Hi Ishara, >> >> We are currently using the following two admin services to create service >> providers. >> >> IdentitySAMLSSOConfigService >> IdentityApplicationManagementService >> > admin/manage > > permission should be there for both services > > hmm .. admin/manage is admin rights ? This mean we need to assign admin > rights to publisher. :( . Is there any possibility of adding fine grained > permission for these two services as well, similar to XACML services ? > Regards, Dinusha. > >> If we are to follow the above SAML authenticator method for this as well, >> what are the permissions should a role have ? >> >> Regards >> Rushmin >> >> On Mon, Aug 8, 2016 at 5:18 PM, Lahiru Cooray <lahi...@wso2.com> wrote: >> >>> Hi Ishara, >>> Thanks a lot for the info.. >>> >>> On Mon, Aug 8, 2016 at 4:04 PM, Ishara Karunarathna <isha...@wso2.com> >>> wrote: >>> >>>> Hi Dinusha, >>>> >>>> In this case I think publisher user should be able to create those SP, >>>> XACML policies etc. >>>> Since publisher use is within the publisher role you can assign >>>> necessary permission to that role. >>>> Once user login (SSO) to publisher with his credential he can get a >>>> cookie for that >>>> and he can use that cookie to authenticate to the admin services. >>>> >>>> @Rushmin, >>>> We don't have a authenticator for OAuth token. Better to get a ID token >>>> using OIDC or after validating OAuth token >>>> and create a carbon authenticator like saml carbon authenticator. >>>> >>>> Thanks, >>>> Ishara >>>> >>>> >>>> >>>> >>>> On Mon, Aug 8, 2016 at 3:47 PM, Rushmin Fernando <rush...@wso2.com> >>>> wrote: >>>> >>>>> In addition to creating these entries from the UI, we need to create >>>>> the same using our ReST API as well. And the API is OAuth protected. >>>>> >>>>> Is there an authenticator which gives back a cookie for an OAuth token >>>>> as well ? >>>>> >>>>> On Mon, Aug 8, 2016 at 3:29 PM, Ishara Karunarathna <isha...@wso2.com> >>>>> wrote: >>>>> >>>>>> Hi Lahiru. >>>>>> >>>>>> >>>>>> Its not the admin user.User trying to do this operation should have >>>>>> enough permission to do this. >>>>>> >>>>>> Use >>>>>> >>>>>> >>>>>> >>>>>> *entitlement/policy/view* >>>>>> >>>>>> Add this permission to the user who is trying to view those policies. >>>>>> >>>>>> >>>>>> BR, >>>>>> >>>>>> Ishara >>>>>> >>>>>> >>>>>> On Mon, Aug 8, 2016 at 3:20 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>> wrote: >>>>>> >>>>>>> + [DEV] >>>>>>> >>>>>>> On Mon, Aug 8, 2016 at 3:19 PM, Lahiru Cooray <lahi...@wso2.com> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi all, >>>>>>>> >>>>>>>> *Current behaviour:* >>>>>>>> Currently in AppM, when we are creating XACML policies/Service >>>>>>>> Providers via IS admin services, we are providing the super tenant >>>>>>>> admin >>>>>>>> credentials (where the credentials are stored in a config) to get >>>>>>>> authenticated. Further, XACML policies/Service providers are only >>>>>>>> created >>>>>>>> in super tenant and marked as a SAAS app to be used in tenants. >>>>>>>> >>>>>>>> *Problem:* >>>>>>>> As we are moving for AppM - Cloud integration, we are trying to >>>>>>>> deploy these in relevant tenant spaces. So as a solution we have tried >>>>>>>> to >>>>>>>> use *SAML2SSOAuthenticator*[1] (retrieving a cookie passing the >>>>>>>> SAML response and use the same in subsequent service calls) but figured >>>>>>>> that this is not applicable for non admin users. >>>>>>>> (*eg:* In AppM user story, non admin users should be allowed to >>>>>>>> create apps with XAML policies) >>>>>>>> >>>>>>>> Any suggestions for this would be highly appreciated! >>>>>>>> >>>>>>>> >>>>>>>> [1] https://github.com/wso2/carbon-identity/blob/8cd996c1dc6 >>>>>>>> d9e7c0df491322af6e9ddf1cf3709/components/carbon-authenticato >>>>>>>> rs/saml2-sso-authenticator/org.wso2.carbon.identity.authenti >>>>>>>> cator.saml2.sso/src/main/java/org/wso2/carbon/identity/authe >>>>>>>> nticator/saml2/sso/SAML2SSOAuthenticator.java >>>>>>>> >>>>>>>> -- >>>>>>>> *Lahiru Cooray* >>>>>>>> Software Engineer >>>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>>> lean.enterprise.middleware >>>>>>>> >>>>>>>> Mobile: +94 715 654154 >>>>>>>> >>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> *Lahiru Cooray* >>>>>>> Software Engineer >>>>>>> WSO2, Inc.;http://wso2.com/ >>>>>>> lean.enterprise.middleware >>>>>>> >>>>>>> Mobile: +94 715 654154 >>>>>>> >>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Ishara Karunarathna >>>>>> Associate Technical Lead >>>>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>>>> >>>>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>>>> +94717996791 >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> -- >>>>> *Best Regards* >>>>> >>>>> *Rushmin Fernando* >>>>> *Technical Lead* >>>>> >>>>> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >>>>> >>>>> mobile : +94772891266 >>>>> >>>>> >>>>> >>>> >>>> >>>> -- >>>> Ishara Karunarathna >>>> Associate Technical Lead >>>> WSO2 Inc. - lean . enterprise . middleware | wso2.com >>>> >>>> email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: >>>> +94717996791 >>>> >>>> >>>> >>> >>> >>> -- >>> *Lahiru Cooray* >>> Software Engineer >>> WSO2, Inc.;http://wso2.com/ >>> lean.enterprise.middleware >>> >>> Mobile: +94 715 654154 >>> >> >> >> >> -- >> *Best Regards* >> >> *Rushmin Fernando* >> *Technical Lead* >> >> WSO2 Inc. <http://wso2.com/> - Lean . Enterprise . Middleware >> >> mobile : +94772891266 >> >> >> > > > -- > Ishara Karunarathna > Associate Technical Lead > WSO2 Inc. - lean . enterprise . middleware | wso2.com > > email: isha...@wso2.com, blog: isharaaruna.blogspot.com, mobile: > +94717996791 > > > -- Dinusha Dilrukshi Associate Technical Lead WSO2 Inc.: http://wso2.com/ Mobile: +94725255071 Blog: http://dinushasblog.blogspot.com/
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
