Re: [regrep] [RS Issue] Internal Vs. External Users

[Farrukh Najmi <Farrukh.Najmi@Sun.COM>]

Glad to see some good discussion on the excellent issues Matt, Goran and 
others have identified. See comments inline below.

Chiusano Joseph wrote:

>Farrukh,
>
>Is the bottom-line question here "should the registry should define an
>abstract PrincipalProvider service, and treat external and internal
>users equally as something that may or may not be managed by the
>registry?" rather than the way it is described in section 11.7?
>  
>
I propose we use the term IdentityProvider instead of the equivalent 
term "PrincipalProvider" since IdentityProvider is more standard at this 
point.

IMO, The registry SHOULD NOT define an IdentityProvider interface since 
SAML 2.0 already does
so and registry already leverages the SAML 2 protcols and interfaces for 
IdentityProvider / AuthenticationAuthority.

So I do not believe we should be defining a different IdentityProvider 
interface.

The real issue is that we have an existing "identity provider" 
functionality and a new SAML 2 based "identity provider" functionality 
and I believe the spec needs to define how the two coexist or interact.

>If so, I believe the definition/usage of a PrincipalProvider service
>should be left as an implementation choice. There may be implementations
>that use a registry only locally, and may not need to use external
>identity providers. On a related note, I would not consider the
>registry's management of users (a capability since v1) as synonymous
>with an identity provider in terms of what SAML and Liberty Alliance
>enable.
>  
>
The term "identity provider" implies functions such as user management 
and the registry has been doing that.
The registry "identity provider" functionality prior to 3.0 was the bare 
minimum needed to meet registry use cases.
Just because the registry "identity provider" specs where minimal does 
not mean that the registry did not provide "identity provider"
functionality.

>Kind Regards,
>Joseph Chiusano
>Booz Allen Hamilton
>Strategy and Technology Consultants to the World
> 
>
>  
>
>>-----Original Message-----
>>From: Farrukh Najmi [mailto:Farrukh.Najmi@Sun.COM] 
>>Sent: Saturday, January 22, 2005 11:38 AM
>>To: regrep@lists.oasis-open.org
>>Subject: [regrep] [RS Issue] Internal Vs. External Users
>>
>>Matt sent following comment on section 11.7 that describes 
>>Internal Vs. 
>>External Users.
>>
>>"This section exists, IMO, due to poor design.  Why is there 
>>even a concept of internal and external users and 
>>organizations?  The registry should define an abstract 
>>PrincipalProvider service, and treat external and internal 
>>users equally as something that may or may not be managed by 
>>the registry."
>>
>>The registry historically since version 1 has served in the 
>>roles of an Identity Provider (manages users) and an 
>>Authentication Authority ( validates user credentials). Thus 
>>a registry prior to version 3 allowed users to be stored 
>>internal to the registry.
>>
>>With version 3 we allow the Identity Provider and 
>>Authentication Authority functions to be provided by an 
>>external SAML Authority such as an Access Manager service.
>>Depending upon deployment situations a registry MAY manage 
>>users itself or leverage an external service to do so.
>>
>>This section is defining the behavior of how to handle cases 
>>where a user is bweing managed by an external service rather 
>>than the registry.
>>
>>If you have a specific proposal on how to address this issue 
>>please share and we can review the details. Thanks.
>>
>>--
>>Regards,
>>Farrukh
>>
>>
>>To unsubscribe from this mailing list (and be removed from 
>>the roster of the OASIS TC), go to 
>>http://www.oasis-open.org/apps/org/workgroup/regrep/members/le
>>ave_workgroup.php.
>>
>>
>>    
>>
>
>To unsubscribe from this mailing list (and be removed from the roster of the OASIS TC), go to http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
>
>  
>


-- 
Regards,
Farrukh