Re: [regrep] [RS Issue] Internal Vs. External Users

[Matthew MacKenzie <mattm@adobe.com>]

David,

It is obvious that you do not understand what I am on about.  I am in 
favour of cleanly separating functions such as user management from 
registry operations.  User/Identity management is a complex and involved 
area of functionality that this spec really is not scoped on.  Do my 
proposed separations "break" the current user model?  Well, no, not 
really.  They merely remove functions of the spec that in any way alter 
the definition of a Principal, or interfere with said principal's 
externally managed lifecycle.

8 implementations, huh?  I assume you are not counting pilots, or 
un-forked derivative works of Farrukh's codebase ;-p

Seriously though, you can thumb your nose at my assertions about this 
user stuff at your own peril.  I am trying to warn everyone what happens 
when all of a sudden they find themselves synchronizing 10's of 
thousands of users from an LDAP server multiple times a day just to 
facilitate a handful of RS queries that are used relatively rarely. I 
have dabbled with every kind of solution to this -- from 
synchronization, to on-demand provisioning to full delegation of user 
management to an external system.  I'll tell the story for a beer, 
complete with the conclusion.

One thing is for certain, the SAML stuff is a god send and a huge step 
in the right direction.  Without it, most registry implementations could 
become major security holes when deployed to a broad user base.

If we move toward the proper mix of abstraction and capabilities, we can 
more efficiently deal with the small and large scale use cases -- you'll 
still be able to manage users locally (vendor dependent) for the small 
installations.

-Matt


David Webber (XML) wrote:

>Matt,
>
>That's your implementation - there's at least 8 implementations
>I know to that are using the org / user model already and its
>working for them - so we would not want to break that.
>
>DW
>
>----- Original Message ----- 
>From: "Matthew MacKenzie" <mattm@adobe.com>
>To: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>
>Cc: <regrep@lists.oasis-open.org>
>Sent: Sunday, January 23, 2005 5:18 PM
>Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
>
>
>  
>
>>Farrukh Najmi wrote:
>>
>>    
>>
>>>We have had Users, Organizations, Roles and Groups for several
>>>releases. I agree that over time we need to remove these and align
>>>with SAML and other security standards to define their replacement.
>>>
>>>I feel strongly however that we should not do this in version 3 since
>>>these would be major changes which I believe are too late to do at
>>>this stage in version 3. I propose we defer any changes in this area
>>>to version 4.
>>>      
>>>
>>We could start phasing it out now though.  I think there are some
>>AdhocQueries that could be phased out.  Or not.  Our implementation just
>>gives you an error if you try to add users, and I'd like to throw an
>>error when someone asks for a list of users -- but I don't _have_ to.
>>
>>    
>>
>>>>-Matt
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>David Webber (XML) wrote:
>>>>
>>>>        
>>>>
>>>>>Matt,
>>>>>
>>>>>OK. So this is over an above the SSO SMP support
>>>>>that Farrukh noted that we have already.
>>>>>
>>>>>I'm trying to understand the use case here a bit
>>>>>better.  With the SAML SSO request its clear
>>>>>that a user to trying to authentic using the SAML
>>>>>services.  So - we need to boot strap that - what
>>>>>happens the first time a user logs in  - and we
>>>>>do not know they have a SSO account yet?
>>>>>
>>>>>Brainstorming here - they go to "create new registry user" -
>>>>>and there they will have the chance to select "Use existing SSO
>>>>>account", etc.
>>>>>
>>>>>I'm trying to see why the registry would need to query for
>>>>>a whole list of users - unless its a help function - to prompt
>>>>>the user to pick an existing account from a list?  Obviously
>>>>>that is prone to security violations and brute force password
>>>>>attacks...
>>>>>
>>>>>DW
>>>>>
>>>>>----- Original Message ----- From: "Matthew MacKenzie"
>>>>><mattm@adobe.com>
>>>>>To: "David Webber (XML)" <david@drrw.info>
>>>>>Cc: "Farrukh Najmi" <Farrukh.Najmi@Sun.COM>;
>>>>><regrep@lists.oasis-open.org>
>>>>>Sent: Monday, January 24, 2005 8:31 AM
>>>>>Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>>>Not exactly David.  SAML is not the whole story.  How does a SAML
>>>>>>assertion parlay into a list of users when a registry client makes
>>>>>>a request asking for User instances?
>>>>>>
>>>>>>
>>>>>>
>>>>>>            
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>>          
>>>>>
>>>>To unsubscribe from this mailing list (and be removed from the roster
>>>>of the OASIS TC), go to
>>>>
>>>>        
>>>>
>http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
>  
>
>>>>        
>>>>
>>>      
>>>
>>To unsubscribe from this mailing list (and be removed from the roster of
>>    
>>
>the OASIS TC), go to
>http://www.oasis-open.org/apps/org/workgroup/regrep/members/leave_workgroup.php.
>  
>
>>
>>    
>>
>
>
>  
>