[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
David, It is obvious that you do not understand what I am on about. I am in favour of cleanly separating functions such as user management from registry operations. User/Identity management is a complex and involved area of functionality that this spec really is not scoped on. Do my proposed separations "break" the current user model? Well, no, not really. They merely remove functions of the spec that in any way alter the definition of a Principal, or interfere with said principal's externally managed lifecycle. 8 implementations, huh? I assume you are not counting pilots, or un-forked derivative works of Farrukh's codebase ;-p Seriously though, you can thumb your nose at my assertions about this user stuff at your own peril. I am trying to warn everyone what happens when all of a sudden they find themselves synchronizing 10's of thousands of users from an LDAP server multiple times a day just to facilitate a handful of RS queries that are used relatively rarely. I have dabbled with every kind of solution to this -- from synchronization, to on-demand provisioning to full delegation of user management to an external system. I'll tell the story for a beer, complete with the conclusion. One thing is for certain, the SAML stuff is a god send and a huge step in the right direction. Without it, most registry implementations could become major security holes when deployed to a broad user base. If we move toward the proper mix of abstraction and capabilities, we can more efficiently deal with the small and large scale use cases -- you'll still be able to manage users locally (vendor dependent) for the small installations. -Matt David Webber (XML) wrote: >Matt, > >That's your implementation - there's at least 8 implementations >I know to that are using the org / user model already and its >working for them - so we would not want to break that. > >DW > >----- Original Message ----- >From: "Matthew MacKenzie" <mattm@adobe.com> >To: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM> >Cc: <regrep@lists.oasis-open.org> >Sent: Sunday, January 23, 2005 5:18 PM >Subject: Re: [regrep] [RS Issue] Internal Vs. External Users > > > > >>Farrukh Najmi wrote: >> >> >> >>>We have had Users, Organizations, Roles and Groups for several >>>releases. I agree that over time we need to remove these and align >>>with SAML and other security standards to define their replacement. >>> >>>I feel strongly however that we should not do this in version 3 since >>>these would be major changes which I believe are too late to do at >>>this stage in version 3. I propose we defer any changes in this area >>>to version 4. >>> >>> >>We could start phasing it out now though. I think there are some >>AdhocQueries that could be phased out. Or not. Our implementation just >>gives you an error if you try to add users, and I'd like to throw an >>error when someone asks for a list of users -- but I don't _have_ to. >> >> >> >>>>-Matt >>>> >>>> >>>> >>>> >>>> >>>>David Webber (XML) wrote: >>>> >>>> >>>> >>>>>Matt, >>>>> >>>>>OK. So this is over an above the SSO SMP support >>>>>that Farrukh noted that we have already. >>>>> >>>>>I'm trying to understand the use case here a bit >>>>>better. With the SAML SSO request its clear >>>>>that a user to trying to authentic using the SAML >>>>>services. So - we need to boot strap that - what >>>>>happens the first time a user logs in - and we >>>>>do not know they have a SSO account yet? >>>>> >>>>>Brainstorming here - they go to "create new registry user" - >>>>>and there they will have the chance to select "Use existing SSO >>>>>account", etc. >>>>> >>>>>I'm trying to see why the registry would need to query for >>>>>a whole list of users - unless its a help function - to prompt >>>>>the user to pick an existing account from a list? Obviously >>>>>that is prone to security violations and brute force password >>>>>attacks... >>>>> >>>>>DW >>>>> >>>>>----- Original Message ----- From: "Matthew MacKenzie" >>>>><mattm@adobe.com> >>>>>To: "David Webber (XML)" <david@drrw.info> >>>>>Cc: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>; >>>>><regrep@lists.oasis-open.org> >>>>>Sent: Monday, January 24, 2005 8:31 AM >>>>>Subject: Re: [regrep] [RS Issue] Internal Vs. External Users >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>>Not exactly David. SAML is not the whole story. How does a SAML >>>>>>assertion parlay into a list of users when a registry client makes >>>>>>a request asking for User instances? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> >>>>To unsubscribe from this mailing list (and be removed from the roster >>>>of the OASIS TC), go to >>>> >>>> >>>> >http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php. > > >>>> >>>> >>> >>> >>To unsubscribe from this mailing list (and be removed from the roster of >> >> >the OASIS TC), go to >http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php. > > >> >> >> > > > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]