Hi All, On Tue, May 9, 2017 at 3:05 PM, Ruwan Abeykoon <[email protected]> wrote:
> Hi All, > +1 for making it simple. > What I think is appending tenant domain irrespective of what claim used as > subject id, when the parameter set to true; is the correct expectation. > > That will be true even if subject id is set as some unrealistic values > such as gender or age. The realistic subject id should be unique within the > tenant or user domain. > > @Hasanthi > >> IMO as this is an option which can be decided by the user, if the user > checked the check boxes we should append tenant domain and userstore domain > to the subject identifier whether it is user name or not. If the user does > not wish to append those domains he can use the default configurations. So > shall we change the existing behavior? > I guess the "user" mean as the tenant identity admin. If that case +1. > Yes, +1 to append user store domain and tenant domain based on the identity admin's selection. This option is to intentionally append the domains or not whichever the claim it is. At the selection time doer is aware of to which claim it is getting applied. > > > Cheers, > Ruwan > > On Tue, May 9, 2017 at 2:48 PM, Hasanthi Purnima Dissanayake < > [email protected]> wrote: > >> Hi Maduranga, >> >> When we added this configuration, the expectation was to add the tenant >>> domain to the subject identifier no matter what is used as the subject >>> claim or it is a requested claim (it can be username or telephone number, >>> if this is enabled tenant domain should be appended). If we deviate from >>> this there can be lots of unexpected inconsistencies. >> >> >> I have analyzed the source in IS 5.3.0 and the behavior is bit different. >> We are appending the tenant domain and user domain only when the subject >> identifier is user name [1]. Otherwise we are not appending them [2]. IMO >> as this is an option which can be decided by the user, if the user checked >> the check boxes we should append tenant domain and userstore domain to the >> subject identifier whether it is user name or not. If the user does not >> wish to append those domains he can use the default configurations. So >> shall we change the existing behavior? >> >> WDYT? >> >> [1] https://github.com/wso2-attic/carbon-identity/blob/master/co >> mponents/authentication-framework/org.wso2.carbon.identity. >> application.authentication.framework/src/main/java/org/ >> wso2/carbon/identity/application/authentication/framework/model/ >> AuthenticatedUser.java#L175 >> [2]https://github.com/wso2-attic/carbon-identity/blob/master >> /components/authentication-framework/org.wso2.carbon. >> identity.application.authentication.framework/src/ >> main/java/org/wso2/carbon/identity/application/authentication/framework/ >> model/AuthenticatedUser.java#L143 >> >> Thanks, >> >> Hasanthi Dissanayake >> >> Software Engineer | WSO2 >> >> E: [email protected] >> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >> >> On Fri, May 5, 2017 at 11:21 PM, Maduranga Siriwardena < >> [email protected]> wrote: >> >>> Hi Hasanthi, >>> >>> When we added this configuration, the expectation was to add the tenant >>> domain to the subject identifier no matter what is used as the subject >>> claim or it is a requested claim (it can be username or telephone number, >>> if this is enabled tenant domain should be appended). If we deviate from >>> this there can be lots of unexpected inconsistencies. >>> >>> Thanks, >>> >>> Maduranga Siriwardena >>> Senior Software Engineer >>> WSO2 Inc; http://wso2.com/ >>> >>> On May 5, 2017 2:03 PM, "Isura Karunaratne" <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> On Fri, May 5, 2017 at 10:59 AM, Hasanthi Purnima Dissanayake < >>>> [email protected]> wrote: >>>> >>>>> Hi All, >>>>> >>>>> There are few jiras [1],[2],[3],[4] reported related to the above >>>>> attribute and thought of discussing the expected behavior of this >>>>> attribute. >>>>> >>>>> AFAIU if the above attribute is checked in both federated and local >>>>> scenarios: >>>>> - the tenant domain should append with the sub claim even when the >>>>> username is added as a requested claim or username is set as the subject >>>>> claim uri. >>>>> >>>> This is little bit tricky. If we think of an occasion without a local association in a federated scenario, does it really make sense to append our local user store domain or tenant domain to user name? I think it's an invalid information, as a federated user is not present in our user stores unless provisioned or associated. We can argue, if the SP is configured with federated authentication we shouldn't select the above options. But the concerns around this become more complex when we consider this together with multi-option authentication. An SP can allow user to select authentication from either local or federated. As such case we should be able to dynamically decide we shouldn't be attaching user store and tenant names to federated user attributes. WDYT? > >>>>> If the above attribute is unchecked : >>>>> - The tenant domain should not append with the sub claim even when the >>>>> user name is subject claim uri or a requested claim. >>>>> >>>> >>>>> [1] https://wso2.org/jira/browse/IDENTITY-5013 >>>>> [2] https://wso2.org/jira/browse/IDENTITY-4931 >>>>> [3]https://wso2.org/jira/browse/IDENTITY-4956 >>>>> [4]https://wso2.org/jira/browse/IDENTITY-4470 >>>>> >>>>> Please let me know if the behavior of this attribute is something >>>>> different. >>>>> >>>> Yes. That is the behavior of 'Use tenant domain in local subject >>>> identifier" attribute. >>>> >>>> Thanks >>>> Isura. >>>> >>>>> >>>>> >>>>> Thanks, >>>>> >>>>> Hasanthi Dissanayake >>>>> >>>>> Software Engineer | WSO2 >>>>> >>>>> E: [email protected] >>>>> M :0718407133 <071%20840%207133>| http://wso2.com <http://wso2.com/> >>>>> >>>>> _______________________________________________ >>>>> Dev mailing list >>>>> [email protected] >>>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>>> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Isura Dilhara Karunaratne* >>>> Senior Software Engineer | WSO2 >>>> Email: [email protected] >>>> Mob : +94 772 254 810 <+94%2077%20225%204810> >>>> Blog : http://isurad.blogspot.com/ >>>> >>>> >>>> >>>> >>>> _______________________________________________ >>>> Dev mailing list >>>> [email protected] >>>> http://wso2.org/cgi-bin/mailman/listinfo/dev >>>> >>>> >> > > > -- > > *Ruwan Abeykoon* > *Associate Director/Architect**,* > *WSO2, Inc. http://wso2.com <https://wso2.com/signature> * > *lean.enterprise.middleware.* > > -- Pushpalanka. -- Pushpalanka Jayawardhana, B.Sc.Eng.(Hons). Senior Software Engineer, WSO2 Lanka (pvt) Ltd; wso2.com/ Mobile: +94779716248 Blog: pushpalankajaya.blogspot.com/ | LinkedIn: lk.linkedin.com/in/pushpalanka/ | Twitter: @pushpalanka
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
