Bill,
I am unsure if storing an aspect of an user as its attribute is
hacking. OtherNames used is an attribute of the user.
Each of our identity type constructs have attributes - user,role,group,
application,tier,partition etc.
Integration projects such as RESTEasy or GateIn or OAuth need to see if
some of their usecases can be stored as attributes of identity type(s).
This becomes an integration decision of the project. We do not want IDM
to be bloated one size fits all, a strategy which has failed in the
industry.
Regards,
Anil
On 12/10/2012 09:26 AM, Bill Burke wrote:
Hacking the IDM model to support a new use case is a bad idea,
especially considering the IDM API is in incubation. I've also
discovered additional use cases that would requiring "hacking" the
model, specifically OAuth grants. I'm sure others have discovered
additional metadata they want to store. Fix the model, don't hack it!
As far as the user model goes in a cloud service, global users make make
sense, but global credentails may not. Different realms will have
different auth requirements. Some may be solely password based, others
may have more complex requirements. They may also have different
policies as well for lost passwords, etc.
On 12/7/2012 5:25 PM, Anil Saldhana wrote:
> Can we just not use the attributes on the User? Such as "otherNames" to
identify the different usernames, he may have used?
>
> SCIM comes into picture wherein one cloud provider/service wants to create accounts
for users in the other cloud provider/service. Some trust agreements have to be in place
between the two cloud providers.
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva(a)redhat.com>
> To: "Anil Saldhana" <anil.saldhana(a)redhat.com>
> Cc: security-dev(a)lists.jboss.org
> Sent: Friday, December 7, 2012 4:15:00 PM
> Subject: Re: [security-dev] IDM: REST API
>
> They use a id/externalId/userName to identify users. Not sure if we have that in PL.
>
> Maybe this is a important thing to consider given that:
>
> * User can have different identifiers (eg.: username) for each cloud
application. How we know that a specific username maps to a single person ?
> * During the authentication each application may require one of the user's
identifier.
>
> Let's get the following example:
>
> * John is a person. For application A he is using a username "john".
For application B he is using "john2012".
>
> This solution can be very important when *auditing* user actions. That way we can map
different identifiers to a single person. Considering a cloud and heterogeneous
environment.
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Anil Saldhana" <asaldhan(a)redhat.com>
> To: security-dev(a)lists.jboss.org
> Sent: Friday, December 7, 2012 6:53:46 PM
> Subject: [security-dev] IDM: REST API
>
>
http://www.simplecloud.info/
>
> SCIM is very popular for user provisioning using REST.