[security-dev] IDM: REST API

Bill Burke bburke at redhat.com
Mon Dec 10 10:26:07 EST 2012


Hacking the IDM model to support a new use case is a bad idea, 
especially considering the IDM API is in incubation.  I've also 
discovered additional use cases that would requiring "hacking" the 
model, specifically OAuth grants.  I'm sure others have discovered 
additional metadata they want to store.  Fix the model, don't hack it!

As far as the user model goes in a cloud service, global users make make 
sense, but global credentails may not. Different realms will have 
different auth requirements.  Some may be solely password based, others 
may have more complex requirements.  They may also have different 
policies as well for lost passwords, etc.



On 12/7/2012 5:25 PM, Anil Saldhana wrote:
> Can we just not use the attributes on the User?  Such as "otherNames" to identify the different usernames, he may have used?
>
> SCIM comes into picture wherein one cloud provider/service wants to create accounts for users in the other cloud provider/service. Some trust agreements have to be in place between the two cloud providers.
>
> ----- Original Message -----
> From: "Pedro Igor Silva" <psilva at redhat.com>
> To: "Anil Saldhana" <anil.saldhana at redhat.com>
> Cc: security-dev at lists.jboss.org
> Sent: Friday, December 7, 2012 4:15:00 PM
> Subject: Re: [security-dev] IDM: REST API
>
> They use a id/externalId/userName to identify users. Not sure if we have that in PL.
>
> Maybe this is a important thing to consider given that:
>
>      * User can have different identifiers (eg.: username) for each cloud application. How we know that a specific username maps to a single person ?
>      * During the authentication each application may require one of the user's identifier.
>
> Let's get the following example:
>
>      * John is a person. For application A he is using a username "john". For application B he is using "john2012".
>
> This solution can be very important when *auditing* user actions. That way we can map different identifiers to a single person. Considering a cloud and heterogeneous environment.
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Anil Saldhana" <asaldhan at redhat.com>
> To: security-dev at lists.jboss.org
> Sent: Friday, December 7, 2012 6:53:46 PM
> Subject: [security-dev] IDM: REST API
>
> http://www.simplecloud.info/
>
> SCIM is very popular for user provisioning using REST.
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
> _______________________________________________
> security-dev mailing list
> security-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/security-dev
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com


More information about the security-dev mailing list