Bill,
I am unsure if storing an aspect of an user as its attribute is
hacking. OtherNames used is an attribute of the user.
The topic of multiple credentials against a single user is something I
raised on another thread but for one scenario I am thinking about it
would still need to be a 1:1 mapping between the username used and the
credential stored.
Each of our identity type constructs have attributes -
user,role,group,
application,tier,partition etc.
Integration projects such as RESTEasy or GateIn or OAuth need to see if
some of their usecases can be stored as attributes of identity type(s).
This becomes an integration decision of the project. We do not want IDM
to be bloated one size fits all, a strategy which has failed in the
industry.
Regards,
Anil
On 12/10/2012 09:26 AM, Bill Burke wrote:
> Hacking the IDM model to support a new use case is a bad idea,
> especially considering the IDM API is in incubation. I've also
> discovered additional use cases that would requiring "hacking" the
> model, specifically OAuth grants. I'm sure others have discovered
> additional metadata they want to store. Fix the model, don't hack it!
>
> As far as the user model goes in a cloud service, global users make make
> sense, but global credentails may not. Different realms will have
> different auth requirements. Some may be solely password based, others
> may have more complex requirements. They may also have different
> policies as well for lost passwords, etc.
>
>
>
> On 12/7/2012 5:25 PM, Anil Saldhana wrote:
>> Can we just not use the attributes on the User? Such as "otherNames"
to identify the different usernames, he may have used?
>>
>> SCIM comes into picture wherein one cloud provider/service wants to create
accounts for users in the other cloud provider/service. Some trust agreements have to be
in place between the two cloud providers.
>>
>> ----- Original Message -----
>> From: "Pedro Igor Silva" <psilva(a)redhat.com>
>> To: "Anil Saldhana" <anil.saldhana(a)redhat.com>
>> Cc: security-dev(a)lists.jboss.org
>> Sent: Friday, December 7, 2012 4:15:00 PM
>> Subject: Re: [security-dev] IDM: REST API
>>
>> They use a id/externalId/userName to identify users. Not sure if we have that in
PL.
>>
>> Maybe this is a important thing to consider given that:
>>
>> * User can have different identifiers (eg.: username) for each cloud
application. How we know that a specific username maps to a single person ?
>> * During the authentication each application may require one of the
user's identifier.
>>
>> Let's get the following example:
>>
>> * John is a person. For application A he is using a username
"john". For application B he is using "john2012".
>>
>> This solution can be very important when *auditing* user actions. That way we can
map different identifiers to a single person. Considering a cloud and heterogeneous
environment.
>>
>> Regards.
>> Pedro Igor
>>
>> ----- Original Message -----
>> From: "Anil Saldhana" <asaldhan(a)redhat.com>
>> To: security-dev(a)lists.jboss.org
>> Sent: Friday, December 7, 2012 6:53:46 PM
>> Subject: [security-dev] IDM: REST API
>>
>>
http://www.simplecloud.info/
>>
>> SCIM is very popular for user provisioning using REST.
_______________________________________________
security-dev mailing list
security-dev(a)lists.jboss.org
https://lists.jboss.org/mailman/listinfo/security-dev