Re: [Architecture] [IS] Authorization for Service Providers

Overall I think we need not to worry at this stage what happens from one step to another. Authorization will happen at the end of the authentication flow (as Pulasthi explained)... and SP should not be aware of what steps got executed in the authentication flow - it will simply define access

Re: [Architecture] [IS] Authorization for Service Providers

Hi All, > Do we execute the authorization handler for each request...? even the user > is authenticated...? > Yes we do, that way we'll ensure that different policies will be evaluated per service provider even in the same IdP session. We also don't maintain an 'authorized' state for the user

Re: [Architecture] [IS] Authorization for Service Providers

On Wed, Oct 19, 2016 at 12:57 PM, Ishara Karunarathna wrote: > Hi Farasath, > > On Wed, Oct 19, 2016 at 12:39 PM, Farasath Ahamed > wrote: > >> We also need to consider how we are going to handle the 'NotApplicable' >> and 'Indeterminate' responses by the

Re: [Architecture] [IS] Authorization for Service Providers

Hi Farasath, On Wed, Oct 19, 2016 at 12:39 PM, Farasath Ahamed wrote: > We also need to consider how we are going to handle the 'NotApplicable' > and 'Indeterminate' responses by the XACML engine. Especially the > Indeterminate response that might be due to some missing

Re: [Architecture] [IS] Authorization for Service Providers

We also need to consider how we are going to handle the 'NotApplicable' and 'Indeterminate' responses by the XACML engine. Especially the Indeterminate response that might be due to some missing attributes etc. AFAIK the decisions of multiple evaluated policies are currently evaluated based on

Re: [Architecture] [IS] Authorization for Service Providers

Hi Godwin, On Wed, Oct 19, 2016 at 10:18 AM, Godwin Shrimal wrote: > As per my previous example, if authorization fails after first step (Basic > authentication) we should not go for the next step and perform Fido > authentication. right ? > > I am not quiet sure about the

Re: [Architecture] [IS] Authorization for Service Providers

Hi, Another requirement I have seen is to have a set of authentication levels and depending on the required level present a different combinations of authenticator steps for authentication. For instance initially a user may be required to authenticated with only basic the authenticator which will

Re: [Architecture] [IS] Authorization for Service Providers

As per my previous example, if authorization fails after first step (Basic authentication) we should not go for the next step and perform Fido authentication. right ? I am not quiet sure about the scope we are going to cover with this implement, Looks there are valid user cases as above. Thanks

Re: [Architecture] [IS] Authorization for Service Providers

As in sequence diagram, we can't do that, and actually do we need that level ? *Harsha Thirimanna* Associate Tech Lead | WSO2 Email: hars...@wso2.com Mob: +94715186770 Blog: http://harshathirimanna.blogspot.com/ Twitter: http://twitter.com/harshathirimann Linked-In: linked-in:

Re: [Architecture] [IS] Authorization for Service Providers

I think we need not to worry about it as we have the PDP decision caching - we can just talk to the PDP each time... Thanks & regards, -Prabath On Wed, Oct 19, 2016 at 12:15 AM, Harsha Thirimanna wrote: > So, can't we keep the status 'authorized' with the SP name as well. > >

Re: [Architecture] [IS] Authorization for Service Providers

So, can't we keep the status 'authorized' with the SP name as well. *Harsha Thirimanna* Associate Tech Lead | WSO2 Email: hars...@wso2.com Mob: +94715186770 Blog: http://harshathirimanna.blogspot.com/ Twitter: http://twitter.com/harshathirimann Linked-In: linked-in:

Re: [Architecture] [IS] Authorization for Service Providers

It can change - you can authenticate a user with foo SP and then you will be authenticated automatically for bar SP - but they may have different authorization policies... Thanks & regards, -Prabath On Wed, Oct 19, 2016 at 12:01 AM, Harsha Thirimanna wrote: > I think , it

Re: [Architecture] [IS] Authorization for Service Providers

I think , it doesn't matter to hit the authorization handler each time, if we can keep the status as user 'authorized' as same as we keep user 'authenticated' in each steps. *Harsha Thirimanna* Associate Tech Lead | WSO2 Email: hars...@wso2.com Mob: +94715186770 Blog:

Re: [Architecture] [IS] Authorization for Service Providers

Do we execute the authorization handler for each request...? even the user is authenticated...? Thanks & regards, -Prabath On Tue, Oct 18, 2016 at 3:50 PM, Pulasthi Mahawithana wrote: > Hi All, > > As per the current implementation of the Identity Server's authentication >

Re: [Architecture] [IS] Authorization for Service Providers

On Tue, Oct 18, 2016 at 11:15 PM, Harsha Thirimanna wrote: > ​Within the tenant story, when the SP is enable SAAS, is that possible to > use logged in user's tenant specific XACML policy to use as authorization > policy in above framework instead of using SP's tenant XACML

Re: [Architecture] [IS] Authorization for Service Providers

​Within the tenant story, when the SP is enable SAAS, is that possible to use logged in user's tenant specific XACML policy to use as authorization policy in above framework instead of using SP's tenant XACML policy ? ​ *Harsha Thirimanna* Associate Tech Lead | WSO2 Email: hars...@wso2.com Mob:

[Architecture] [IS] Authorization for Service Providers

Hi All, As per the current implementation of the Identity Server's authentication framework, it does not provide any OOTB authorization mechanism for the service providers. We are going to provide this capability to Identity server so that the users can be authorized to service providers using