subject:"\[Dev\] \[IS\-6\] Need clarifications on Unique claim\(s\) as user identifier in Identity Server"

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-22 Thread Johann Nallathamby

On Wed, Feb 22, 2017 at 2:13 AM, Thanuja Jayasinghe 
wrote:

> Hi Johann,
>
> On Tue, Feb 21, 2017 at 12:58 AM, Johann Nallathamby 
> wrote:
>
>> Hi Isura,
>>
>> On Mon, Feb 20, 2017 at 5:23 PM, Isura Karunaratne 
>> wrote:
>>
>>> Hi,
>>>
>>>
>>>
>>> On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby 
>>> wrote:
>>>
 Hi Ayesha,

 On Mon, Feb 20, 2017 at 11:49 AM, Ayesha Dissanayaka 
 wrote:

> Hi,
>
> In Identity Management we have the concept of unique claims which can
> only have a unique value within a domain.
> With the value of a unique claim we can identify a unique user within
> a domain. While implementing identity management capabilities in IS-6.0
> User portal we came across below concerns.
>
>- System can have one or more unique claims.
>
> Can't it be zero? W have a globally unique UUID. Must we always have a
 unique claim also within a domain? Can't we say a combination of claims
 make the user unique? If there isn't anything like that in the system then
 the user can't perform recovery. Is that a acceptable? I don't think in amy
 practical system we can't find a combination of claims that identify the
 user uniquely in the domain.

>>>
>>> If it is zero, we have to use unique UUID as the unique idefier for all
>>> the opeartions such as authentication, recovery. It is not practical to
>>> remember unique UUID, so an external applicatoin should have the mapping
>>> between unique UUID and username. Do we support zero unique claim scenario?
>>>
>>
>> What I meant by zero unique claims is, there is not one single unique
>> claim in the system. But there is a set of claims whose combination of
>> values will uniquely identify the user. This needs to be defined using
>> attribute profile.
>>
>
> Yes. For recovery scenarios, we can identify a user using a combination of
> non-unique claims. So having at least one unique claim is not a requirement
> for identity management features.
>
> Having at least one unique claim comes with authentication feature.
> Otherwise, there may be cases which we have to depend on the password to
> differentiate users. So we have atleast one unique claim by defult?
>

Even now in C4 we have customers who have duplicate usernames across their
user stores (across domains). Any reason why we need to change this design
and mandate one unique claim per user domain always?

And also 90% of the time users in enterprise login with a domain qualified
name. Some customers have customized the login page to take in the domain
as a separate input and username as separate input. Domain is not optional
for them. So under those circumstances I don't think introducing a new
constraint saying there MUST be at least one claim that uniquely identifies
the user across domains is necessary. We are limiting ourselves too much I
think.

May be others can weigh in.


>
>>
>>
>>>
>>> If we don't define a unique claim, how to identify the correct
>>> DomainUser object for authentication. Fllowing is the existing API for
>>> authentication and if there is no unique claim, we need to create a new API
>>> with unique userid.
>>>
>>>
>>>
>>>   AuthenticationContext authenticate(Claim claim, Callback[]
>>> credentials, String domainName)
>>>
>>> throws AuthenticationFailure, IdentityStoreException;
>>>
>>>
>>>
>>>
>>>
>- All the unique claims doesn't have to be required claims.
>
> Yes.

>
>-
>- At least one unique claim has to be required claim.
>
> If we go with my previous explanation, if one claim isn't enough to
 identify the user uniquely then there can be more claims that are required.

>
>-
>
> For authentication and recovery scenarios we need to have a unique
> identifier for users. Currently we use "username" claim. I assume we need
> to provide the flexibility to change this identifier claim.
>
>1. Do we allow client applications to choose this identifier claim
>from unique claims?
>   - Then the IS will have to accept any of the unique claims as
>   the user identifier in authentication and validate against it.
>
> No need to let client applications choose this. We are talking about
 account recovery of an account centrally and solely managed by IS, and it
 is the sole responsibility of IS to allow its to recover their accounts
 securely and efficiently. Applications don't need to specify criteria for
 this process and change security requirements for the process.

>>> +1
>>>
>>>

>-
>1. Otherwise should we keep it as a system wide configuration?
>
> Yes, it's a system (tenant) configuration.

>
>1. For the User Portal, we use 'username' claim as the user
>identifier. I have noticed we have hard-coded this

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-22 Thread Thanuja Jayasinghe

Hi Johann,

On Tue, Feb 21, 2017 at 12:58 AM, Johann Nallathamby 
wrote:

> Hi Isura,
>
> On Mon, Feb 20, 2017 at 5:23 PM, Isura Karunaratne  wrote:
>
>> Hi,
>>
>>
>>
>> On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby 
>> wrote:
>>
>>> Hi Ayesha,
>>>
>>> On Mon, Feb 20, 2017 at 11:49 AM, Ayesha Dissanayaka 
>>> wrote:
>>>
 Hi,

 In Identity Management we have the concept of unique claims which can
 only have a unique value within a domain.
 With the value of a unique claim we can identify a unique user within a
 domain. While implementing identity management capabilities in IS-6.0 User
 portal we came across below concerns.

- System can have one or more unique claims.

 Can't it be zero? W have a globally unique UUID. Must we always have a
>>> unique claim also within a domain? Can't we say a combination of claims
>>> make the user unique? If there isn't anything like that in the system then
>>> the user can't perform recovery. Is that a acceptable? I don't think in amy
>>> practical system we can't find a combination of claims that identify the
>>> user uniquely in the domain.
>>>
>>
>> If it is zero, we have to use unique UUID as the unique idefier for all
>> the opeartions such as authentication, recovery. It is not practical to
>> remember unique UUID, so an external applicatoin should have the mapping
>> between unique UUID and username. Do we support zero unique claim scenario?
>>
>
> What I meant by zero unique claims is, there is not one single unique
> claim in the system. But there is a set of claims whose combination of
> values will uniquely identify the user. This needs to be defined using
> attribute profile.
>

Yes. For recovery scenarios, we can identify a user using a combination of
non-unique claims. So having at least one unique claim is not a requirement
for identity management features.

Having at least one unique claim comes with authentication feature.
Otherwise, there may be cases which we have to depend on the password to
differentiate users. So we have atleast one unique claim by defult?

>
>
>>
>> If we don't define a unique claim, how to identify the correct DomainUser
>> object for authentication. Fllowing is the existing API for authentication
>> and if there is no unique claim, we need to create a new API with unique
>> userid.
>>
>>
>>
>>   AuthenticationContext authenticate(Claim claim, Callback[]
>> credentials, String domainName)
>>
>> throws AuthenticationFailure, IdentityStoreException;
>>
>>
>>
>>
>>
- All the unique claims doesn't have to be required claims.

 Yes.
>>>

-
- At least one unique claim has to be required claim.

 If we go with my previous explanation, if one claim isn't enough to
>>> identify the user uniquely then there can be more claims that are required.
>>>

-

 For authentication and recovery scenarios we need to have a unique
 identifier for users. Currently we use "username" claim. I assume we need
 to provide the flexibility to change this identifier claim.

1. Do we allow client applications to choose this identifier claim
from unique claims?
   - Then the IS will have to accept any of the unique claims as
   the user identifier in authentication and validate against it.

 No need to let client applications choose this. We are talking about
>>> account recovery of an account centrally and solely managed by IS, and it
>>> is the sole responsibility of IS to allow its to recover their accounts
>>> securely and efficiently. Applications don't need to specify criteria for
>>> this process and change security requirements for the process.
>>>
>> +1
>>
>>
>>>
-
1. Otherwise should we keep it as a system wide configuration?

 Yes, it's a system (tenant) configuration.
>>>

1. For the User Portal, we use 'username' claim as the user
identifier. I have noticed we have hard-coded this claim 
 '*http://wso2.org/claims/username
*'.
1. I think we need to get this value from a configuration.
   2. Is it OK to keep this as a configuration within the User
   Portal.
   3. Otherwise where should we keep this?
   4. Will this identifier be username, for User portal always?
   Otherwise we need to have the flexibility of changing UI labels 
 according
   to the identifier without much effort.

 Can't this be handled by attribute profile feature? Again the answer
>>> depends on the answer for my previous question, about having a set of
>>> claims that uniquely identify a user in a domain.
>>>

1. Should we support authentication and recovery by multiple
identifiers ( ex: username or email or NIC, each representing an 
 individual
unique

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-20 Thread Johann Nallathamby

Hi Isura,

On Mon, Feb 20, 2017 at 5:23 PM, Isura Karunaratne  wrote:

> Hi,
>
>
>
> On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby 
> wrote:
>
>> Hi Ayesha,
>>
>> On Mon, Feb 20, 2017 at 11:49 AM, Ayesha Dissanayaka 
>> wrote:
>>
>>> Hi,
>>>
>>> In Identity Management we have the concept of unique claims which can
>>> only have a unique value within a domain.
>>> With the value of a unique claim we can identify a unique user within a
>>> domain. While implementing identity management capabilities in IS-6.0 User
>>> portal we came across below concerns.
>>>
>>>- System can have one or more unique claims.
>>>
>>> Can't it be zero? W have a globally unique UUID. Must we always have a
>> unique claim also within a domain? Can't we say a combination of claims
>> make the user unique? If there isn't anything like that in the system then
>> the user can't perform recovery. Is that a acceptable? I don't think in amy
>> practical system we can't find a combination of claims that identify the
>> user uniquely in the domain.
>>
>
> If it is zero, we have to use unique UUID as the unique idefier for all
> the opeartions such as authentication, recovery. It is not practical to
> remember unique UUID, so an external applicatoin should have the mapping
> between unique UUID and username. Do we support zero unique claim scenario?
>

What I meant by zero unique claims is, there is not one single unique claim
in the system. But there is a set of claims whose combination of values
will uniquely identify the user. This needs to be defined using attribute
profile.


>
> If we don't define a unique claim, how to identify the correct DomainUser
> object for authentication. Fllowing is the existing API for authentication
> and if there is no unique claim, we need to create a new API with unique
> userid.
>
>
>
>   AuthenticationContext authenticate(Claim claim, Callback[] credentials,
> String domainName)
>
> throws AuthenticationFailure, IdentityStoreException;
>
>
>
>
>
>>>- All the unique claims doesn't have to be required claims.
>>>
>>> Yes.
>>
>>>
>>>-
>>>- At least one unique claim has to be required claim.
>>>
>>> If we go with my previous explanation, if one claim isn't enough to
>> identify the user uniquely then there can be more claims that are required.
>>
>>>
>>>-
>>>
>>> For authentication and recovery scenarios we need to have a unique
>>> identifier for users. Currently we use "username" claim. I assume we need
>>> to provide the flexibility to change this identifier claim.
>>>
>>>1. Do we allow client applications to choose this identifier claim
>>>from unique claims?
>>>   - Then the IS will have to accept any of the unique claims as the
>>>   user identifier in authentication and validate against it.
>>>
>>> No need to let client applications choose this. We are talking about
>> account recovery of an account centrally and solely managed by IS, and it
>> is the sole responsibility of IS to allow its to recover their accounts
>> securely and efficiently. Applications don't need to specify criteria for
>> this process and change security requirements for the process.
>>
> +1
>
>
>>
>>>-
>>>1. Otherwise should we keep it as a system wide configuration?
>>>
>>> Yes, it's a system (tenant) configuration.
>>
>>>
>>>1. For the User Portal, we use 'username' claim as the user
>>>identifier. I have noticed we have hard-coded this claim 
>>> '*http://wso2.org/claims/username
>>>*'.
>>>1. I think we need to get this value from a configuration.
>>>   2. Is it OK to keep this as a configuration within the User
>>>   Portal.
>>>   3. Otherwise where should we keep this?
>>>   4. Will this identifier be username, for User portal always?
>>>   Otherwise we need to have the flexibility of changing UI labels 
>>> according
>>>   to the identifier without much effort.
>>>
>>> Can't this be handled by attribute profile feature? Again the answer
>> depends on the answer for my previous question, about having a set of
>> claims that uniquely identify a user in a domain.
>>
>>>
>>>1. Should we support authentication and recovery by multiple
>>>identifiers ( ex: username or email or NIC, each representing an 
>>> individual
>>>unique claim)
>>>
>>> Password based authentication - yes. Since we take in a password that
>> has very low probability of being the same of another user within the
>> domain for the same claim identifier, we can actually allow authentication
>> with any claim - doesn't necessarily have to be unique.
>>
>> However for recovery we must identify user uniquely and for that we need
>> to have a set of claims that identify the user uniquely within a domain.
>> Again can we use the attribute profile concept here?
>>
>> Regards,
>> Johann.
>>
>>> Appreciate your input on this.
>>>
>>> Thanks!
>>> -Ayesha
>>>
>>> --
>>> *Ayesha

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-20 Thread Johann Nallathamby

On Mon, Feb 20, 2017 at 4:36 PM, Ayesha Dissanayaka  wrote:

> Hi Johann,
>
> Thanks for the clarification.
>
> On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby 
> wrote:
>
>> Password based authentication - yes. Since we take in a password that has
>> very low probability of being the same of another user within the domain
>> for the same claim identifier, we can actually allow authentication with
>> any claim - doesn't necessarily have to be unique.
>>
> So, we can choose some claim as the identifier for password based
> authentication at a time as a configuration in the User Portal.
>

+1


>
>
>> However for recovery we must identify user uniquely and for that we need
>> to have a set of claims that identify the user uniquely within a domain.
>> Again can we use the attribute profile concept here?
>>
>
> Agreed that we use attribute profile based approach for username recovery.
> For password recovery do we need to follow that approach. Shouldn't this
> align with whatever the claim users use to authenticate to the system in
> password based authentication?
> for example, a system may choose to use email claim as login identifier.
> Then shouldn't we ask for the same identifier at password recovery of that
> system?
>
In that case if we use a claim which is not unique, it will be hard to
> identify the user for password recovery.
>

So seems there are two options.

1. Use single unique identifier for authentication and password recovery -
if not can't do password recovery
2. Use a profile - similar to username recovery. However authentication and
recovery may be using different claims.

For me option 2 looks good if possible. If the claims required is one then
it actually converges to option 1.

Regards,
Johann.


>
> Thanks!
> -Ayesha
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>



-- 
Thanks & Regards,

*Johann Dilantha Nallathamby*
Technical Lead & Product Lead of WSO2 Identity Server
Governance Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - *+9476950*
Blog - *http://nallaa.wordpress.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-20 Thread Isura Karunaratne

Hi,



On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby  wrote:

> Hi Ayesha,
>
> On Mon, Feb 20, 2017 at 11:49 AM, Ayesha Dissanayaka 
> wrote:
>
>> Hi,
>>
>> In Identity Management we have the concept of unique claims which can
>> only have a unique value within a domain.
>> With the value of a unique claim we can identify a unique user within a
>> domain. While implementing identity management capabilities in IS-6.0 User
>> portal we came across below concerns.
>>
>>- System can have one or more unique claims.
>>
>> Can't it be zero? W have a globally unique UUID. Must we always have a
> unique claim also within a domain? Can't we say a combination of claims
> make the user unique? If there isn't anything like that in the system then
> the user can't perform recovery. Is that a acceptable? I don't think in amy
> practical system we can't find a combination of claims that identify the
> user uniquely in the domain.
>

If it is zero, we have to use unique UUID as the unique idefier for all the
opeartions such as authentication, recovery. It is not practical to
remember unique UUID, so an external applicatoin should have the mapping
between unique UUID and username. Do we support zero unique claim scenario?

If we don't define a unique claim, how to identify the correct DomainUser
object for authentication. Fllowing is the existing API for authentication
and if there is no unique claim, we need to create a new API with unique
userid.



  AuthenticationContext authenticate(Claim claim, Callback[] credentials,
String domainName)

throws AuthenticationFailure, IdentityStoreException;





>>- All the unique claims doesn't have to be required claims.
>>
>> Yes.
>
>>
>>-
>>- At least one unique claim has to be required claim.
>>
>> If we go with my previous explanation, if one claim isn't enough to
> identify the user uniquely then there can be more claims that are required.
>
>>
>>-
>>
>> For authentication and recovery scenarios we need to have a unique
>> identifier for users. Currently we use "username" claim. I assume we need
>> to provide the flexibility to change this identifier claim.
>>
>>1. Do we allow client applications to choose this identifier claim
>>from unique claims?
>>   - Then the IS will have to accept any of the unique claims as the
>>   user identifier in authentication and validate against it.
>>
>> No need to let client applications choose this. We are talking about
> account recovery of an account centrally and solely managed by IS, and it
> is the sole responsibility of IS to allow its to recover their accounts
> securely and efficiently. Applications don't need to specify criteria for
> this process and change security requirements for the process.
>
+1


>
>>-
>>1. Otherwise should we keep it as a system wide configuration?
>>
>> Yes, it's a system (tenant) configuration.
>
>>
>>1. For the User Portal, we use 'username' claim as the user
>>identifier. I have noticed we have hard-coded this claim 
>> '*http://wso2.org/claims/username
>>*'.
>>1. I think we need to get this value from a configuration.
>>   2. Is it OK to keep this as a configuration within the User Portal.
>>   3. Otherwise where should we keep this?
>>   4. Will this identifier be username, for User portal always?
>>   Otherwise we need to have the flexibility of changing UI labels 
>> according
>>   to the identifier without much effort.
>>
>> Can't this be handled by attribute profile feature? Again the answer
> depends on the answer for my previous question, about having a set of
> claims that uniquely identify a user in a domain.
>
>>
>>1. Should we support authentication and recovery by multiple
>>identifiers ( ex: username or email or NIC, each representing an 
>> individual
>>unique claim)
>>
>> Password based authentication - yes. Since we take in a password that has
> very low probability of being the same of another user within the domain
> for the same claim identifier, we can actually allow authentication with
> any claim - doesn't necessarily have to be unique.
>
> However for recovery we must identify user uniquely and for that we need
> to have a set of claims that identify the user uniquely within a domain.
> Again can we use the attribute profile concept here?
>
> Regards,
> Johann.
>
>> Appreciate your input on this.
>>
>> Thanks!
>> -Ayesha
>>
>> --
>> *Ayesha Dissanayaka*
>> Software Engineer,
>> WSO2, Inc : http://wso2.com
>> 
>> 20, Palmgrove Avenue, Colombo 3
>> E-Mail: aye...@wso2.com 
>>
>
>
>
> --
> Thanks & Regards,
>
> *Johann Dilantha Nallathamby*
> Technical Lead & Product Lead of WSO2 Identity Server
> Governance Technologies Team
> WSO2, Inc.
> lean.enterprise.middleware
>
> Mobile - *+9476950*
> Blog -

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-20 Thread Ayesha Dissanayaka

Hi Johann,

Thanks for the clarification.

On Mon, Feb 20, 2017 at 2:20 PM, Johann Nallathamby  wrote:

> Password based authentication - yes. Since we take in a password that has
> very low probability of being the same of another user within the domain
> for the same claim identifier, we can actually allow authentication with
> any claim - doesn't necessarily have to be unique.
>
So, we can choose some claim as the identifier for password based
authentication at a time as a configuration in the User Portal.

> However for recovery we must identify user uniquely and for that we need
> to have a set of claims that identify the user uniquely within a domain.
> Again can we use the attribute profile concept here?
>

Agreed that we use attribute profile based approach for username recovery.
For password recovery do we need to follow that approach. Shouldn't this
align with whatever the claim users use to authenticate to the system in
password based authentication?
for example, a system may choose to use email claim as login identifier.
Then shouldn't we ask for the same identifier at password recovery of that
system?
In that case if we use a claim which is not unique, it will be hard to
identify the user for password recovery.

Thanks!
-Ayesha
-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com

20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-20 Thread Johann Nallathamby

Hi Ayesha,

On Mon, Feb 20, 2017 at 11:49 AM, Ayesha Dissanayaka 
wrote:

> Hi,
>
> In Identity Management we have the concept of unique claims which can only
> have a unique value within a domain.
> With the value of a unique claim we can identify a unique user within a
> domain. While implementing identity management capabilities in IS-6.0 User
> portal we came across below concerns.
>
>- System can have one or more unique claims.
>
> Can't it be zero? W have a globally unique UUID. Must we always have a
unique claim also within a domain? Can't we say a combination of claims
make the user unique? If there isn't anything like that in the system then
the user can't perform recovery. Is that a acceptable? I don't think in amy
practical system we can't find a combination of claims that identify the
user uniquely in the domain.

>
>- All the unique claims doesn't have to be required claims.
>
> Yes.

>
>-
>- At least one unique claim has to be required claim.
>
> If we go with my previous explanation, if one claim isn't enough to
identify the user uniquely then there can be more claims that are required.

>
>-
>
> For authentication and recovery scenarios we need to have a unique
> identifier for users. Currently we use "username" claim. I assume we need
> to provide the flexibility to change this identifier claim.
>
>1. Do we allow client applications to choose this identifier claim
>from unique claims?
>   - Then the IS will have to accept any of the unique claims as the
>   user identifier in authentication and validate against it.
>
> No need to let client applications choose this. We are talking about
account recovery of an account centrally and solely managed by IS, and it
is the sole responsibility of IS to allow its to recover their accounts
securely and efficiently. Applications don't need to specify criteria for
this process and change security requirements for the process.

>
>-
>1. Otherwise should we keep it as a system wide configuration?
>
> Yes, it's a system (tenant) configuration.

>
>1. For the User Portal, we use 'username' claim as the user
>identifier. I have noticed we have hard-coded this claim 
> '*http://wso2.org/claims/username
>*'.
>1. I think we need to get this value from a configuration.
>   2. Is it OK to keep this as a configuration within the User Portal.
>   3. Otherwise where should we keep this?
>   4. Will this identifier be username, for User portal always?
>   Otherwise we need to have the flexibility of changing UI labels 
> according
>   to the identifier without much effort.
>
> Can't this be handled by attribute profile feature? Again the answer
depends on the answer for my previous question, about having a set of
claims that uniquely identify a user in a domain.

>
>1. Should we support authentication and recovery by multiple
>identifiers ( ex: username or email or NIC, each representing an individual
>unique claim)
>
> Password based authentication - yes. Since we take in a password that has
very low probability of being the same of another user within the domain
for the same claim identifier, we can actually allow authentication with
any claim - doesn't necessarily have to be unique.

However for recovery we must identify user uniquely and for that we need to
have a set of claims that identify the user uniquely within a domain. Again
can we use the attribute profile concept here?

Regards,
Johann.

> Appreciate your input on this.
>
> Thanks!
> -Ayesha
>
> --
> *Ayesha Dissanayaka*
> Software Engineer,
> WSO2, Inc : http://wso2.com
> 
> 20, Palmgrove Avenue, Colombo 3
> E-Mail: aye...@wso2.com 
>



-- 
Thanks & Regards,

*Johann Dilantha Nallathamby*
Technical Lead & Product Lead of WSO2 Identity Server
Governance Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - *+9476950*
Blog - *http://nallaa.wordpress.com *
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

2017-02-19 Thread Ayesha Dissanayaka

Hi,

In Identity Management we have the concept of unique claims which can only
have a unique value within a domain.
With the value of a unique claim we can identify a unique user within a
domain. While implementing identity management capabilities in IS-6.0 User
portal we came across below concerns.

   - System can have one or more unique claims.
   - All the unique claims doesn't have to be required claims.
   - At least one unique claim has to be required claim.

For authentication and recovery scenarios we need to have a unique
identifier for users. Currently we use "username" claim. I assume we need
to provide the flexibility to change this identifier claim.

   1. Do we allow client applications to choose this identifier claim from
   unique claims?
  - Then the IS will have to accept any of the unique claims as the
  user identifier in authentication and validate against it.
  2. Otherwise should we keep it as a system wide configuration?
   3. For the User Portal, we use 'username' claim as the user identifier.
   I have noticed we have hard-coded this claim
'*http://wso2.org/claims/username
   *'.
   1. I think we need to get this value from a configuration.
  2. Is it OK to keep this as a configuration within the User Portal.
  3. Otherwise where should we keep this?
  4. Will this identifier be username, for User portal always?
  Otherwise we need to have the flexibility of changing UI labels according
  to the identifier without much effort.
   4. Should we support authentication and recovery by multiple identifiers
   ( ex: username or email or NIC, each representing an individual unique
   claim)

Appreciate your input on this.

Thanks!
-Ayesha

-- 
*Ayesha Dissanayaka*
Software Engineer,
WSO2, Inc : http://wso2.com

20, Palmgrove Avenue, Colombo 3
E-Mail: aye...@wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

Re: [Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

[Dev] [IS-6] Need clarifications on Unique claim(s) as user identifier in Identity Server

8 matches

Site Navigation

Mail list logo

Footer information