Overall I think we need not to worry at this stage what happens from one
step to another. Authorization will happen at the end of the authentication
flow (as Pulasthi explained)... and SP should not be aware of what steps
got executed in the authentication flow - it will simply define access
Hi All,
> Do we execute the authorization handler for each request...? even the user
> is authenticated...?
>
Yes we do, that way we'll ensure that different policies will be evaluated
per service provider even in the same IdP session. We also don't maintain
an 'authorized' state for the user
On Wed, Oct 19, 2016 at 12:57 PM, Ishara Karunarathna
wrote:
> Hi Farasath,
>
> On Wed, Oct 19, 2016 at 12:39 PM, Farasath Ahamed
> wrote:
>
>> We also need to consider how we are going to handle the 'NotApplicable'
>> and 'Indeterminate' responses by the
Hi Farasath,
On Wed, Oct 19, 2016 at 12:39 PM, Farasath Ahamed
wrote:
> We also need to consider how we are going to handle the 'NotApplicable'
> and 'Indeterminate' responses by the XACML engine. Especially the
> Indeterminate response that might be due to some missing
We also need to consider how we are going to handle the 'NotApplicable' and
'Indeterminate' responses by the XACML engine. Especially the Indeterminate
response that might be due to some missing attributes etc.
AFAIK the decisions of multiple evaluated policies are currently evaluated
based on
Hi Godwin,
On Wed, Oct 19, 2016 at 10:18 AM, Godwin Shrimal wrote:
> As per my previous example, if authorization fails after first step (Basic
> authentication) we should not go for the next step and perform Fido
> authentication. right ?
>
> I am not quiet sure about the
Hi,
Another requirement I have seen is to have a set of authentication levels
and depending on the required level present a different combinations of
authenticator steps for authentication.
For instance initially a user may be required to authenticated with only
basic the authenticator which will
As per my previous example, if authorization fails after first step (Basic
authentication) we should not go for the next step and perform Fido
authentication. right ?
I am not quiet sure about the scope we are going to cover with this
implement, Looks there are valid user cases as above.
Thanks
As in sequence diagram, we can't do that, and actually do we need that
level ?
*Harsha Thirimanna*
Associate Tech Lead | WSO2
Email: hars...@wso2.com
Mob: +94715186770
Blog: http://harshathirimanna.blogspot.com/
Twitter: http://twitter.com/harshathirimann
Linked-In: linked-in:
I think we need not to worry about it as we have the PDP decision caching -
we can just talk to the PDP each time...
Thanks & regards,
-Prabath
On Wed, Oct 19, 2016 at 12:15 AM, Harsha Thirimanna
wrote:
> So, can't we keep the status 'authorized' with the SP name as well.
>
>
So, can't we keep the status 'authorized' with the SP name as well.
*Harsha Thirimanna*
Associate Tech Lead | WSO2
Email: hars...@wso2.com
Mob: +94715186770
Blog: http://harshathirimanna.blogspot.com/
Twitter: http://twitter.com/harshathirimann
Linked-In: linked-in:
It can change - you can authenticate a user with foo SP and then you will
be authenticated automatically for bar SP - but they may have different
authorization policies...
Thanks & regards,
-Prabath
On Wed, Oct 19, 2016 at 12:01 AM, Harsha Thirimanna
wrote:
> I think , it
I think , it doesn't matter to hit the authorization handler each time, if
we can keep the status as user 'authorized' as same as we keep user
'authenticated' in each steps.
*Harsha Thirimanna*
Associate Tech Lead | WSO2
Email: hars...@wso2.com
Mob: +94715186770
Blog:
Do we execute the authorization handler for each request...? even the user
is authenticated...?
Thanks & regards,
-Prabath
On Tue, Oct 18, 2016 at 3:50 PM, Pulasthi Mahawithana
wrote:
> Hi All,
>
> As per the current implementation of the Identity Server's authentication
>
On Tue, Oct 18, 2016 at 11:15 PM, Harsha Thirimanna
wrote:
> Within the tenant story, when the SP is enable SAAS, is that possible to
> use logged in user's tenant specific XACML policy to use as authorization
> policy in above framework instead of using SP's tenant XACML
Within the tenant story, when the SP is enable SAAS, is that possible to
use logged in user's tenant specific XACML policy to use as authorization
policy in above framework instead of using SP's tenant XACML policy ?
*Harsha Thirimanna*
Associate Tech Lead | WSO2
Email: hars...@wso2.com
Mob:
Hi All,
As per the current implementation of the Identity Server's authentication
framework, it does not provide any OOTB authorization mechanism for the
service providers. We are going to provide this capability to Identity
server so that the users can be authorized to service providers using
17 matches
Mail list logo