[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [regrep] [RS Issue] Internal Vs. External Users
Matthew MacKenzie wrote: > I am in favour of cleanly separating functions such as user management > from registry operations. I am too. As, I am sure, is everyone else in the TC. > User/Identity management is a complex and involved area of > functionality that this spec really is not scoped on. I agree. We did what we had to when there were no standards available for Single Signon etc. > I am trying to warn everyone what happens when all of a sudden they > find themselves synchronizing 10's of thousands of users from an LDAP > server multiple times a day just to facilitate a handful of RS queries > that are used relatively rarely. I have dabbled with every kind of > solution to this -- from synchronization, to on-demand provisioning to > full delegation of user management to an external system. I'll tell > the story for a beer, complete with the conclusion. +1 on the problem and you are not alone in appreciating its import. > One thing is for certain, the SAML stuff is a god send and a huge step > in the right direction. Without it, most registry implementations > could become major security holes when deployed to a broad user base. +1 The entire purpose of the SAML feature is to eliminate the need for registry to do Identity Provisioning and instead leverage industrial strength Identity Provisioning solutions such as Access Manager products. The only questions left is what to do with our existing Identity Provisioning capabilities. My solution is to leave it intact for following reasons: -SAML is not a required feature for Registry Lite conformance profile (you need an alternative if SAML is not implemented) -We need to provide an incremental migration from current registry native Identity Provisioning to SAML based Identity Provisioning. I can see that over time (probably in version 4) we will get rid of registry native Identity Provisioning al together and require support of Registry SAML Profile. But I still feel we need to hold on to the registry native Identity Provisioning in version 3. -- Regards, Farrukh
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]