Hi,
On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby <joh...@wso2.com> wrote:
> Hi Ayesha,
>
> On Mon, Feb 20, 2017 at 11:49 AM, Ayesha Dissanayaka <aye...@wso2.com>
> wrote:
>
>> Hi,
>>
>> In Identity Management we have the concept of unique claims which can
>> only have a unique value within a domain.
>> With the value of a unique claim we can identify a unique user within a
>> domain. While implementing identity management capabilities in IS-6.0 User
>> portal we came across below concerns.
>>
>> - System can have one or more unique claims.
>>
>> Can't it be zero? W have a globally unique UUID. Must we always have a
> unique claim also within a domain? Can't we say a combination of claims
> make the user unique? If there isn't anything like that in the system then
> the user can't perform recovery. Is that a acceptable? I don't think in amy
> practical system we can't find a combination of claims that identify the
> user uniquely in the domain.
>
If it is zero, we have to use unique UUID as the unique idefier for all the
opeartions such as authentication, recovery. It is not practical to
remember unique UUID, so an external applicatoin should have the mapping
between unique UUID and username. Do we support zero unique claim scenario?
If we don't define a unique claim, how to identify the correct DomainUser
object for authentication. Fllowing is the existing API for authentication
and if there is no unique claim, we need to create a new API with unique
userid.
AuthenticationContext authenticate(Claim claim, Callback[] credentials,
String domainName)
throws AuthenticationFailure, IdentityStoreException;
>> - All the unique claims doesn't have to be required claims.
>>
>> Yes.
>
>>
>> -
>> - At least one unique claim has to be required claim.
>>
>> If we go with my previous explanation, if one claim isn't enough to
> identify the user uniquely then there can be more claims that are required.
>
>>
>> -
>>
>> For authentication and recovery scenarios we need to have a unique
>> identifier for users. Currently we use "username" claim. I assume we need
>> to provide the flexibility to change this identifier claim.
>>
>> 1. Do we allow client applications to choose this identifier claim
>> from unique claims?
>> - Then the IS will have to accept any of the unique claims as the
>> user identifier in authentication and validate against it.
>>
>> No need to let client applications choose this. We are talking about
> account recovery of an account centrally and solely managed by IS, and it
> is the sole responsibility of IS to allow its to recover their accounts
> securely and efficiently. Applications don't need to specify criteria for
> this process and change security requirements for the process.
>
+1
>
>> -
>> 1. Otherwise should we keep it as a system wide configuration?
>>
>> Yes, it's a system (tenant) configuration.
>
>>
>> 1. For the User Portal, we use 'username' claim as the user
>> identifier. I have noticed we have hard-coded this claim
>> '*http://wso2.org/claims/username
>> <http://wso2.org/claims/username>*'.
>> 1. I think we need to get this value from a configuration.
>> 2. Is it OK to keep this as a configuration within the User Portal.
>> 3. Otherwise where should we keep this?
>> 4. Will this identifier be username, for User portal always?
>> Otherwise we need to have the flexibility of changing UI labels
>> according
>> to the identifier without much effort.
>>
>> Can't this be handled by attribute profile feature? Again the answer
> depends on the answer for my previous question, about having a set of
> claims that uniquely identify a user in a domain.
>
>>
>> 1. Should we support authentication and recovery by multiple
>> identifiers ( ex: username or email or NIC, each representing an
>> individual
>> unique claim)
>>
>> Password based authentication - yes. Since we take in a password that has
> very low probability of being the same of another user within the domain
> for the same claim identifier, we can actually allow authentication with
> any claim - doesn't necessarily have to be unique.
>
> However for recovery we must identify user uniquely and for that we need
> to have a set of claims that identify the user uniquely within a domain.
> Again can we use the attribute profile concept here?
>
> Regards,
> Johann.
>
>> Appreciate your input on this.
>>
>> Thanks!
>> -Ayesha
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> <http://www.google.com/url?q=http%3A%2F%2Fwso2.com&sa=D&sntz=1&usg=AFQjCNEZvyc0uMD1HhBaEGCBxs6e9fBObg>
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com <ayshsa...@gmail.com>
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Technical Lead & Product Lead of WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+94777776950*
> Blog - *http://nallaa.wordpress.com <http://nallaa.wordpress.com>*
>
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
