[Architecture] [IS 6.0.0] Unique User Id for Identity Store

Hi All, In the IS 6.0.0 Identity Store design we facilitate to have multiple user domains, each contains one or more identity/credential store connectors. Also, same identity/credential store connector may reside in two different domains. So there is a requirement to identify a user uniquely throu

Re: [Architecture] Dashboard Component Permission Model

Hi Sajith, Currently, we are in the process of refactoring the carbon-security source and hope to release a 1.0.0-m3 soon. With this release, CAAS User implementation will only provide authorization functionalities. In order to consume identity store related functionalities, you need to use the Us

Re: [Architecture] Dashboard Component Permission Model

/org.wso2.carbon.identity.mgt/src/main/ >> java/org/wso2/carbon/identity/mgt/User.java >> > So, which class will provide the isAuthorized(Permission permission) > method? > > It is the class which we have inside the CAAS. Basically User class in the carbon-identity-mgt is

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.3.0- RC3

Hi, Tested following, - Account recovery with notification - Account recovery with security questions - Recaptcha - Self signup [+] Stable - go ahead and release Thanks, Thanuja On Mon, Jan 9, 2017 at 11:05 AM, Rushmin Fernando wrote: > Tested following features with MSSQL > > 1)

Re: [Architecture] Dashboard Component Permission Model

2017 at 2:21 PM, Thanuja Jayasinghe > wrote: > >> >> >> On Mon, Jan 9, 2017 at 1:34 PM, SajithAR Ariyarathna >> wrote: >> >>> Currently, we are in the process of refactoring the carbon-security >>>> source and hope to release a 1.0.0-m

Re: [Architecture] Extend SCIM 2.0 Metadata to include User Lifecycle State

Hi Johann / Isura, On Tue, Feb 7, 2017 at 10:00 PM, Johann Nallathamby wrote: > > > On Wed, Feb 8, 2017 at 9:25 AM, Isura Karunaratne wrote: > >> Hi Johann, >> >> >> On Wed, Feb 8, 2017 at 9:19 AM, Johann Nallathamby >> wrote: >> >>> For IS 6.0.0 M3 we decided to implement and manage user life

Re: [Architecture] IdentityStore APIs in C5

Hi Gayan, We have already defined an exception hierarchy for identity components. IdentityException[1] ├── IdentityServerException[2] └── IdentityClientException[3] All exceptions classes defined for identity components extend either IdentityServerException or IdentityClientException. So any c

Re: [Architecture] Paginate and Filter Entries in IS 6.0.0

Hi Gayan, On Thu, Mar 2, 2017 at 9:58 AM, Gayan Gunawardana wrote: > > Hi All, > > How listUsers, listGroups methods should behave when domain is not > specified ? > > > *1. listUsers(int offset, int length)* > Take primary domain as user store domain and provide paginated result. > > > *2. list

Re: [Architecture] Claim dialect must have two special attributes indicating "userid" claim URI and "role" claim URI.

Hi Isuru, On Wed, Mar 8, 2017 at 9:08 AM, Isuru Haththotuwa wrote: > Hi Johann, > > On Mon, Mar 6, 2017 at 3:09 AM, Johann Nallathamby > wrote: > >> Hi All, >> >> Any foreign dialect that we define using claim management, must have two >> special attributes indicating the "userid" claim and the

Re: [Architecture] Claim dialect must have two special attributes indicating "userid" claim URI and "role" claim URI.

Hi Johann, We use same "claim management" in SP configuration as well. So these attributes will be available for them also. When it comes to "userid", two SPs which use same claim configuration can have two different claims. So, to avoid the confusion shall we rename it to something like "feduser

Re: [Architecture] [C5][IS] Get claims from User object when it is get from cache.

As per my understanding, If you get a cached user object from the IdenttityStroe cached wrapper, then the wrapper is responsible for setting the identity store object to the deserialized user object. So that the calling party will not see any difference. As a summary, - Only IdentityStore cach

Re: [Architecture] Claim dialect must have two special attributes indicating "userid" claim URI and "role" claim URI.

On Sat, Mar 11, 2017 at 11:33 AM, Johann Nallathamby wrote: > > > On Sat, Mar 11, 2017 at 8:58 AM, Thanuja Jayasinghe > wrote: > >> Hi Johann, >> >> We use same "claim management" in SP configuration as well. So these >> attributes will be availa

Re: [Architecture] Define Username Claim in Domain Level

Hi Gayan, Yes. We need to specially handle username claim(" http://wso2.org/claims/username";). Shall we add a method to User[1] class to retrieve username? [1] - https://github.com/wso2/carbon-identity-mgt/blob/ master/components/org.wso2.carbon.identity.mgt/src/main/ java/org/wso2/carbon/iden

Re: [Architecture] Define Username Claim in Domain Level

Hi Nuwandi, On Tue, Mar 14, 2017 at 1:54 PM, Nuwandi Wickramasinghe wrote: > > > On Tue, Mar 14, 2017 at 12:42 PM, Thanuja Jayasinghe > wrote: > >> Hi Gayan, >> >> Yes. We need to specially handle username claim("http://wso2.org/claims/ >> username&q

Re: [Architecture] Define Username Claim in Domain Level

of going back to IdentityStore API. > > [1] https://github.com/wso2/carbon-identity-mgt/blob/ > master/components/org.wso2.carbon.identity.mgt/src/main/ > java/org/wso2/carbon/identity/mgt/impl/IdentityStoreImpl.java#L1628 > > Thanks and Regards > > On Tue, Mar 14, 2017 at

Re: [Architecture] [C5][IS 6.0.0] User List UI for IS 6.0.0

Hi Nuwandi, On Tue, Mar 14, 2017 at 10:28 AM, Nuwandi Wickramasinghe wrote: > Hi all, > > We are in the process of implementing User List view in the Admin Portal > for the new IS 6.0.0 release. The wireframe design for the UI is found at > [1]. > > Admin can view a list of users and perform act

Re: [Architecture] Define Username Claim in Domain Level

On Sun, Mar 19, 2017 at 2:10 PM, Gayan Gunawardana wrote: > > > On Wed, Mar 15, 2017 at 6:50 AM, Thanuja Jayasinghe > wrote: > >> Hi Nuwandi, >> >> On Tue, Mar 14, 2017 at 1:54 PM, Nuwandi Wickramasinghe < >> nuwan...@wso2.com> wrote: >> &g

Re: [Architecture] Force Delete Identity Providers

On Fri, May 19, 2017 at 10:05 AM, Malithi Edirisinghe wrote: > > > On Fri, May 19, 2017 at 9:19 AM, Ishara Karunarathna > wrote: > >> >> >> On Fri, May 19, 2017 at 1:15 AM, Malithi Edirisinghe >> wrote: >> >>> Hi All, >>> >>> So in order to support force delete an identity provider, we have to

Re: [Architecture] Why we use timestampSkew default value as 300 seconds in identity.xml, why not 0 seconds.

Hi Dinali, Consider the following calculation. expiry time = issuedTimeInMillis + validityPeriodMillis - (System.currentTimeMillis() - timestampSkew) So actually token is valid for (validityPeriodMillis + timestampSkew) seconds. This additional time is added to avoid the error occurred due to th

Re: [Architecture] Does WSO2 Identity Server support IDP initiated logout from federated IDP?

Hi Roman, On Thu, Nov 16, 2017 at 5:56 PM, Roman CHRENKO wrote: > Hello. > > We are using WSO2 Identity Server 5.3.0. > > I configured trust between WSO2 IDP (symbolic name "IDP1") and the Service > Provider (Shibboleth, symbolic name "SP1"). > > Then I configured second trust between WSO2 actin

Re: [Architecture] Federated IdP Initiated Logout

Hi, On Mon, Jan 15, 2018 at 1:32 PM, Dimuthu Leelarathne wrote: > Hi All, > > Please consider the below scenario. > > > ​ > > > When the Federated IdP sends the logout request we have to logout the user > from the WSO2IS. The proposed POC is as follows. > > - 1 & 4 are OAuth flows > - 2 & 3 are

[Architecture] WSO2 Carbon Security CAAS 1.0.0-M1 Released

*WSO2 Carbon Security CAAS 1.0.0-M1 Released* The Identity Server team is pleased to announce the release of Carbon Security CAAS 1.0.0-M1. It is now available to download from here . *Features* *https://wso2.org/jira/issues/?filter

Re: [Architecture] [IS] Supporting user information recovery scenarios in IS user portal

Hi Omindu, Yes. We can't use reCaptcha without internet. But the chance of having Bots attack from a internal network is very less. So we can either disable reCaptcha when server is not connect to the internet or have the old captcha implementation. +1 for keep the existing captcha implementation

[Architecture] [IS] Support for Google reCaptha

Hi All, I'm working on $subject. *Why reCaptcha?* *"reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA uses an advanced risk analysis engine and adaptive CAPTCHAs to keep automated software from engaging in abusive activities on your site. It does this while le

Re: [Architecture] [IS] Support for Google reCaptha

register at [2] and create an API key pair for the >>> required domain. >> >> >> Should a product user generate their own key pair and configure the >> product prior to using reCaptcha ? >> >> Regards, >> Omindu. >> >> >> On Tue

[Architecture] [Dev] WSO2 Identity Server 5.3.0 Milestone 2 Released..!!

*WSO2 Identity Server 5.3.0 Milestone 2 Released..!!* The WSO2 Identity Server team is pleased to announce the 2nd Milestone of WSO2 Identity Server 5.3.0. You can download this distribution from https://github.com/wso2/product-is/releases/tag/v5.3.0-m2. Following list contains all features, imp

[Architecture] [IS] Block brute force attacks on password recovery flows

Hi All, I'm working on $subject. We are planning to prevent this flow from brute force attacks by enabling followings, 1. Enable captcha/reCaptcha after n failed attempts 2. Lock the account after n failed attempts for a period of time *How to track failed attempts?* We already have a "

Re: [Architecture] [Dev] Force Password Reset and Password History validation

Hi Pushpalanka/Isura, On Mon, Jun 20, 2016 at 4:50 PM, Pushpalanka Jayawardhana wrote: > Hi Isura, > > On Mon, Jun 20, 2016 at 10:52 AM, Isura Karunaratne > wrote: > >> HI all, >> >> I am working on $subject for WSO2 Identity Sever 5.3.0 release. Following >> are the currently identified impro

Re: [Architecture] [IS] Block brute force attacks on password recovery flows

Hi Isura, On Mon, Jun 20, 2016 at 5:54 PM, Isura Karunaratne wrote: > Hi Thanuja, > > On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe > wrote: > >> Hi All, >> >> I'm working on $subject. >> >> We are planning to prevent this flow

Re: [Architecture] [IS] Block brute force attacks on password recovery flows

Hi Darshana, On Mon, Jun 20, 2016 at 6:54 PM, Darshana Gunawardana wrote: > Hi Thanuja, > > On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe > wrote: > >> Hi All, >> >> I'm working on $subject. >> >> We are planning to prevent this flow

Re: [Architecture] [IS] Block brute force attacks on password recovery flows

On Mon, Jun 20, 2016 at 7:55 PM, Thanuja Jayasinghe wrote: > Hi Darshana, > > On Mon, Jun 20, 2016 at 6:54 PM, Darshana Gunawardana > wrote: > >> Hi Thanuja, >> >> On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe >> wrote: >> >>> H

Re: [Architecture] [IS] Block brute force attacks on password recovery flows

Hi Farasath, On Tue, Jun 21, 2016 at 2:57 AM, Farasath Ahamed wrote: > Hi Thanuja, > > > On Mon, Jun 20, 2016 at 1:35 PM, Thanuja Jayasinghe > wrote: > >> Hi All, >> >> I'm working on $subject. >> >> We are planning to prevent this fl

[Architecture] [Dev] WSO2 Identity Server 5.3.0 Milestone 3 Released..!!

*WSO2 Identity Server 5.3.0 Milestone 3 Released..!!* The WSO2 Identity Server team is pleased to announce the 3rd Milestone of WSO2 Identity Server 5.3.0. You can download this distribution from https://github.com/wso2/product-is/releases/tag/v5.3.0-m3 Following list contains all features, impr

Re: [Architecture] Monitor Logged In Users/Sessions

On Tue, Jul 5, 2016 at 8:25 PM, Prabath Siriwardana wrote: > Also please note that we do not store USER_DOMAIN_NAME, but the > USERSTORE_DOMAIN_ID... > Practise we follow in other components is, keep 'USER_DOMAIN_NAME' in the table and use 'org .wso2.carbon.identity.user.store.configuration.list

[Architecture] [IS] Securing IS REST APIs from brute force attacks

Hi All, I'm working on $subject. Some of the REST APIs which we are going to introduce with IS 5.3.0 release, will need some extra protection against bot attacks. API Requirement Prevention mechanisms Self sign-up Human verification captcha/reCaptcha Password recovery with email Human verificati

[Architecture] SAML2 Toolkit for IS

Hi all, I'm currently developing $subject which will ease the SAML2 configuration process in IS. This toolkit consist of two parts, 1. SAML2 Request Validator 2. SAML2 Response Builder *SAML2 Request Validator* Using this component users can validate Service Provider(SP) initiat

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.5.0 RC2

Hi, Tested following scenarios on RC2 pack. - User account association(Local/Federated) - SAML2 IdP creation with metadata file - Workflow management [+] Stable - Go ahead and release. Thanks, Thanuja On Thu, Mar 15, 2018 at 2:52 PM, Prakhash Sivakumar wrote: > Hi all, > > I have r

Re: [Architecture] [Dev] [VOTE] Release of WSO2 Identity Server 5.6.0 RC3

Hi All, Tested user account association scenarios. No blocking issues found. [+] Stable - Go ahead and release Thanks, Thanuja On Tue, Jun 19, 2018 at 3:48 PM Isuri Anuradha wrote: > Hi all, > > I've tested following scenarios on the IS 5.6.0-RC3 pack. > >- SAML to SAML federation flow. >

Re: [Architecture] [IAM] Service Provider Template Support

Hi, On Wed, Jul 18, 2018 at 6:47 AM Indunil Upeksha Rathnayake wrote: > Hi, > > In WSO2 Identity Server, we are planning to include Service Provider > Template Support which will be exposed a way to create service providers > with pre-configured and reusable templates. There will be several busin

[Architecture] WSO2 Identity Server 5.7.0-beta2 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.7.0 Beta2! Download You can download WSO2 Identity Server 5.7.0 beta2 from here . You can download WSO2 Ident

[Architecture] [Dev][VOTE] Release of WSO2 Identity Server 5.7.0 RC1

Hi All, We are pleased to announce the first release candidate(RC) of WSO2 Identity Server 5.7.0. This release fixes the following issues, - 5.7.0-RC Fixes - 5.7.0-Beta2 Fixes

[Architecture] [Dev][VOTE] Release of WSO2 Identity Server Analytics 5.7.0 RC1

Hi All, We are pleased to announce the first release candidate(RC) of WSO2 Identity Server Analytics 5.7.0. This release fixes the following issues, - 5.7.0-RC Fixes Source and distribution, - https://github.com/wso2/analytics-

Re: [Architecture] [Dev][VOTE] Release of WSO2 Identity Server Analytics 5.7.0 RC1

Hi All, We are closing the vote as we found an issue while configuring it for risk-based adaptive authentication. We will fix the issue and release another release candidate as soon as possible. Thanks, Thanuja On Sat, Sep 8, 2018 at 11:17 PM Thanuja Jayasinghe wrote: > Hi All, > &g

Re: [Architecture] [Dev][VOTE] Release of WSO2 Identity Server 5.7.0 RC1

Hi All, We are closing the vote as we found an issue while working with the PostgreSQL database. We will fix the issue and release another release candidate as soon as possible. Thanks, Thanuja On Sat, Sep 8, 2018 at 6:34 AM Thanuja Jayasinghe wrote: > Hi All, > > We are pleased to

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.7.0 RC3

Hi All, I have tested the following and no issues were found. - User account association - Workflow management - Adaptive authentication - Role-based - User age based [+] Stable - go ahead and release Thanks, Thanuja ___ Architecture

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.7.0 RC3

have tested the following and no issues were found. >>>> >>>> * Settip up MySQL 5.7 >>>> * Configuring a Read-write Active Directory User Store as a >>>> secondary user store >>>> * Configuring Multi-factor Authentic

Re: [Architecture] [Dev][VOTE] Release of WSO2 Identity Server Analytics 5.7.0 RC2

Hi All, I have tested the following and no issues were found. - Overall login attempts dashboard - Suspicious login attempts dashboard [+] Stable - go ahead and release Thanks, Thanuja On Sat, Sep 15, 2018 at 12:45 PM Dilin Dampahalage wrote: > Hi all, > > > We are pleased to announce

Re: [Architecture] [Dev] [VOTE] Release of WSO2 Identity Server Analytics 5.7.0 RC3

Hi All, I have tested the following and no issues were found. - Overall login attempts dashboard - Suspicious login attempts dashboard [+] Stable - go ahead and release Thanks, Thanuja On Tue, Sep 18, 2018 at 5:07 PM Chamath Samarawickrama wrote: > Hi, > > I have tested the following o

[Architecture] WSO2 Identity Server 5.8.0-M1 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.8.0 M1! Download You can download WSO2 Identity Server 5.8.0 M1 from here . You can download WSO2 Identity Server A

[Architecture] WSO2 Identity Server 5.8.0-M2 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.8.0 M2! Download You can download WSO2 Identity Server 5.8.0 M2 from here . You can download WSO2 Identity Server A

[Architecture] WSO2 Identity Server 5.8.0-M3 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.8.0 M3! Download You can download WSO2 Identity Server 5.8.0 M3 from here . You can download WSO2 Identity Server A

[Architecture] WSO2 Identity Server 5.8.0-M24 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.8.0 M24! Download You can download WSO2 Identity Server 5.8.0 M24 from here . You can download WSO2 Identity Serv

[Architecture] WSO2 Identity Server 5.8.0-M25 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.8.0 M25! Download You can download WSO2 Identity Server 5.8.0 M25 from here . You can download WSO2 Identity Serv

[Architecture] WSO2 Identity Server 5.8.0-alpha2 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.8.0 alpha2! Download You can download WSO2 Identity Server 5.8.0 alpha2 from here . You can download WSO2 I

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.8.0 RC3

Hi All, Tested following scenarios, - Local user account association - OAuth2 grat types (code, implicit, password, client credential) - SAML2 SSO & SLO [+] Stable - go ahead and release. Thanks, Thanuja On Wed, May 22, 2019 at 8:07 PM Farasath Ahamed wrote: > Hi All, > > Test the below scen

Re: [Architecture] [IS- 5.10.0] [Role-Permission] Implementation strategy

+1 for approach 2. What will be a sample response for GET " https://localhost:9443/scim2/Groups/c39232b1-4856-439b-89be-aae3fce5617d/permissions"; ? Thanks, Thanuja On Thu, Aug 29, 2019 at 11:41 AM Dinali Dabarera wrote: > > Hi Denuwanthi, > > On Thu, Aug 29, 2019 at 11:37 AM Denuwanthi De Sil

[Architecture] Binding access token to the browser for new IAM Portal Applications

Hi All, With the introduction of new IAM portal applications, there is a requirement to provide additional security measures to secure these SPAs. We have already implemented the OAuth2 authorization code flow(public client) with PKCE for these applications and with this feature, it will be possib

Re: [Architecture] Binding access token to the browser for new IAM Portal Applications

tive > tokens for same client, user with random scopes ? Or are we just revoking > the old token if the same scopes are being used ?. > > Or else do we have the facility to have multiple active tokens for the > same user, application with same scopes in latest IS versions ? > &

Re: [Architecture] Binding access token to the browser for new IAM Portal Applications

n Thu, Sep 5, 2019 at 12:41 PM Thanuja Jayasinghe wrote: > Hi Hasintha, > > We are going to introduce the capability to bind the token to an external > attribute as a part of this feature. So the updated schemas will be as > follows, > > IDN_OAUTH2_ACCESS_TOKEN ( >

Re: [Architecture] [Dev] [VOTE] Release WSO2 Identity Server 5.9.0 RC2

Hi All, I have tested the following API implementations and no blocking issues found. - Session management API - User Account Association API - Export User profile - Consent Management API [+] Stable - go ahead and release Thanks, Thanuja On Thu, Oct 3, 2019 at 6:16 PM Piraveena Paralogarajah

[Architecture] WSO2 Identity Server 5.11.0 M6 Released!

WSO2 Identity and Access Management team is pleased to announce the release of Identity Server 5.11.0 M6! Download You can download WSO2 Identity Server 5.11.0 M6 from here

Re: [Architecture] [IAM][5.11.0] REST API For Identity Server Local Authenticators

Hi Ruwan, On Wed, Mar 18, 2020 at 9:36 AM Ruwan Abeykoon wrote: > Hi Sathya, > If this is only used for authenticating SOAP calls, then we need not worry > about managing it with REST. > SOAP services is going to be deprecated in favor of REST API. It is all > right to keep file based config an

Re: [Architecture] [Dev] Binding access token to the browser for new IAM Portal Applications

the access token >>>> that already present in the cookie, there are two concerns, >>>> >>>>1. This will open up CSRF vulnerability as any malicious client >>>>running on the same browser can also access APIs successfully. >>