Separating 'My Identity' functionality from management console

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Separating 'My Identity' functionality from management console

venura
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

venura
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Chris Haddad
Yes, the my-identity app should run on app server, and basic features (password management, pwd recovery) should work without identity server.   If identity server is present, then additional features (sso, scim) should be available, and the user store must be consistent between any available managemt views. For example, if in the app server admin console tenants/users/roles should be consistent with identity server view

/Chris
+1.678.431.1656


On Oct 9, 2013, at 10:02, Venura Kahawala <[hidden email]> wrote:

Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: +94 71 82 300 20

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Johann Nallathamby
In reply to this post by venura
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Prabath Siriwardena
In reply to this post by venura
How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..?

Thanks & regards,
-Prabath


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Prabath


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Johann Nallathamby
Hi Prabath,

AFAIK there are a few concerns regarding this. For instance the publisher and store authenticate users with the Key Manager using Web services and the web service URLs are configured in api-manager.xml. So we need to install some APIM components to get this done.

Also since APIM uses the config registry to store some metadata, there are concerns on how to deploy the store/publisher app in a AS cluster.


On Wed, Oct 9, 2013 at 10:18 PM, Prabath Siriwardena <[hidden email]> wrote:
How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..?

Thanks & regards,
-Prabath


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Prabath

Mobile : <a href="tel:%2B94%2071%20809%206732" value="+94718096732" target="_blank">+94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com



--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Johann Nallathamby
I still think it would be a valid requirement that needs to work out of the box.


On Wed, Oct 9, 2013 at 10:37 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Prabath,

AFAIK there are a few concerns regarding this. For instance the publisher and store authenticate users with the Key Manager using Web services and the web service URLs are configured in api-manager.xml. So we need to install some APIM components to get this done.

Also since APIM uses the config registry to store some metadata, there are concerns on how to deploy the store/publisher app in a AS cluster.


On Wed, Oct 9, 2013 at 10:18 PM, Prabath Siriwardena <[hidden email]> wrote:
How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..?

Thanks & regards,
-Prabath


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Prabath

Mobile : <a href="tel:%2B94%2071%20809%206732" value="+94718096732" target="_blank">+94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com



--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Chris Haddad
In reply to this post by Johann Nallathamby
Johann, I think apim store/publishers are just examples.  The goal is to not reuse those specific components, but provide similar login auth/role functionality to all app server apps.

For example, I was writing a carbon-framework app to demo multitenancy, and would like to obtain a set of login pages, Apis, and guidelines on how to cleanly extend/migrate app server tenants/users/roles with identity server functions 

/Chris
+1.678.431.1656


On Oct 9, 2013, at 13:07, Johann Nallathamby <[hidden email]> wrote:

Hi Prabath,

AFAIK there are a few concerns regarding this. For instance the publisher and store authenticate users with the Key Manager using Web services and the web service URLs are configured in api-manager.xml. So we need to install some APIM components to get this done.

Also since APIM uses the config registry to store some metadata, there are concerns on how to deploy the store/publisher app in a AS cluster.


On Wed, Oct 9, 2013 at 10:18 PM, Prabath Siriwardena <[hidden email]> wrote:
How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..?

Thanks & regards,
-Prabath


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Prabath

Mobile : <a href="tel:%2B94%2071%20809%206732" value="+94718096732" target="_blank">+94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com



--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950
_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Nuwan Bandara-2
In reply to this post by Prabath Siriwardena
Hi Prabath,


On Wed, Oct 9, 2013 at 10:18 PM, Prabath Siriwardena <[hidden email]> wrote:
How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..?

In the case of a different app server (Tomcat / JBoss) you wont be able to, the main reason is that jaggery wont run in a different container. In the case of moving those apps to WSO2 Application Server, its theoretically possible, provided all APIManager components are also moved. Also for obtaining users we use the UserManager osgi service, so you need to configure the AS to the user store, else we have to migrate the code to get users / registry etc from web services.

Regards,
/Nuwan
 

Thanks & regards,
-Prabath


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Prabath

Mobile : <a href="tel:%2B94%2071%20809%206732" value="+94718096732" target="_blank">+94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com



--
Thanks & Regards,

Nuwan Bandara
Technical Lead; 
WSO2 Inc. 
lean . enterprise . middleware |  http://wso2.com 
blog : http://nuwanbando.com; email: [hidden email]; phone: +94 11 214 5345


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Johann Nallathamby
In reply to this post by Chris Haddad
Hi Chris,


On Thu, Oct 10, 2013 at 6:17 AM, Chris Haddad <[hidden email]> wrote:
Johann, I think apim store/publishers are just examples.  The goal is to not reuse those specific components, but provide similar login auth/role functionality to all app server apps.

May be I was not clear. This is what exacly I meant. We have an authentication framework for webapps to use. Unfortunately the API Store/Publisher are not able to use this directly because of the way they are written. Ideally any webapp/jaggery app deployed in our servers are able to use this.
 
For example, I was writing a carbon-framework app to demo multitenancy, and would like to obtain a set of login pages, Apis, and guidelines on how to cleanly extend/migrate app server tenants/users/roles with identity server functions 

/Chris
<a href="tel:%2B1.678.431.1656" value="+16784311656" target="_blank">+1.678.431.1656


On Oct 9, 2013, at 13:07, Johann Nallathamby <[hidden email]> wrote:

Hi Prabath,

AFAIK there are a few concerns regarding this. For instance the publisher and store authenticate users with the Key Manager using Web services and the web service URLs are configured in api-manager.xml. So we need to install some APIM components to get this done.

Also since APIM uses the config registry to store some metadata, there are concerns on how to deploy the store/publisher app in a AS cluster.


On Wed, Oct 9, 2013 at 10:18 PM, Prabath Siriwardena <[hidden email]> wrote:
How do we do this inAPI - Store / Publisher ? Can we host the API Store / Publisher in a different Application Server and still points to the same user base behind the API Manager..?

Thanks & regards,
-Prabath


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Prabath

Mobile : <a href="tel:%2B94%2071%20809%206732" value="+94718096732" target="_blank">+94 71 809 6732 

http://blog.facilelogin.com
http://RampartFAQ.com



--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950
_______________________________________________

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Asela Pathberiya
In reply to this post by venura

On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up

8. Password change by user
 


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

+1 for having this without OSGI...  It is better to use web services as you have mentioned.

Also, is there any special reason for using Jaggery?  Because , i see that web app that you are developing would not be much portable. Actually in a practical situation, i may have already developed web application that is running on an app server. Then i need to enable some identity management features (account recovery, change password, signup) in to my exiting web app. Therefore i would add presentation pages for this using exiting presentation layer. So i would look for some client side library to call these web service APIs of Identity Server (I would not look for already developed Jaggery app).  I guess,  it is to better to have some kind of client side sample library where we could use to develop my presentation pages. If we can write this Jaggery web application using kind of client side APIs, that would be fine.  If not, I do not think there is much worth of this for the developers who are using Identity Server's APIs.  However it would just add some nice UI pages to WSO2 Identity Server. (when it is developed in cloud)

Thanks,
Asela.

 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Asela

ATL
Mobile : +94 777 625 933

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Dulanja Liyanage
In reply to this post by Johann Nallathamby
The problem of sending a POST outside of the internal network is anyone can grab the credentials during wire transfer (if not secured with HTTPS) or at transits (even if secured with HTTPS). Then we need to consider about encryption.


On Wed, Oct 9, 2013 at 10:09 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: +94776764717

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Dulanja Liyanage
Ah, but i guess the jaggery app and the Authentication Framework would be in the same machine, then this won't be a prob if we use LAN address for the POST


On Thu, Oct 10, 2013 at 11:51 AM, Dulanja Liyanage <[hidden email]> wrote:
The problem of sending a POST outside of the internal network is anyone can grab the credentials during wire transfer (if not secured with HTTPS) or at transits (even if secured with HTTPS). Then we need to consider about encryption.


On Wed, Oct 9, 2013 at 10:09 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: +94776764717

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Nuwan Bandara-2
In reply to this post by Asela Pathberiya



On Thu, Oct 10, 2013 at 11:50 AM, Asela Pathberiya <[hidden email]> wrote:

On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up

8. Password change by user
 


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

+1 for having this without OSGI...  It is better to use web services as you have mentioned.

Also, is there any special reason for using Jaggery?  Because , i see that web app that you are developing would not be much portable. Actually in a practical situation, i may have already developed web application that is running on an app server. Then i need to enable some identity management features (account recovery, change password, signup) in to my exiting web app. Therefore i would add presentation pages for this using exiting presentation layer. So i would look for some client side library to call these web service APIs of Identity Server (I would not look for already developed Jaggery app).  I guess,  it is to better to have some kind of client side sample library where we could use to develop my presentation pages. If we can write this Jaggery web application using kind of client side APIs, that would be fine.  If not, I do not think there is much worth of this for the developers who are using Identity Server's APIs.  However it would just add some nice UI pages to WSO2 Identity Server. (when it is developed in cloud)

+1, yes, if you can have a common client library, people can write their own UIs/pages in jsp / jaggery. by default IS can have a jaggery app, but should separate the client library, so that it can be reused. 

we have done it at [1] and [2] is the common client library

 

Thanks,
Asela.

 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,
Asela

ATL
Mobile : <a href="tel:%2B94%20777%20625%20933" value="+94777625933" target="_blank">+94 777 625 933



--
Thanks & Regards,

Nuwan Bandara
Technical Lead; 
WSO2 Inc. 
lean . enterprise . middleware |  http://wso2.com 
blog : http://nuwanbando.com; email: [hidden email]; phone: +94 11 214 5345


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

venura
In reply to this post by Dulanja Liyanage
Hi Dulanja,

AFAIK if we use TLS, message will be encrypted and only the server will be able to decrypt the message since TLS key is shared between only the client (browser) and server. This is because at the time of symmetric key exchange, client encrypt the key with the server's public key and send that to the server . Anyway we are not going to use request redirection but a POST request. 


Regards,
Venura


On Thu, Oct 10, 2013 at 11:56 AM, Dulanja Liyanage <[hidden email]> wrote:
Ah, but i guess the jaggery app and the Authentication Framework would be in the same machine, then this won't be a prob if we use LAN address for the POST


On Thu, Oct 10, 2013 at 11:51 AM, Dulanja Liyanage <[hidden email]> wrote:
The problem of sending a POST outside of the internal network is anyone can grab the credentials during wire transfer (if not secured with HTTPS) or at transits (even if secured with HTTPS). Then we need to consider about encryption.


On Wed, Oct 9, 2013 at 10:09 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Dulanja Liyanage
Hi Venura,

Yes you are correct. I've had a misunderstanding. Thanks.

Regards
Dulanja.


On Thu, Oct 10, 2013 at 12:36 PM, Venura Kahawala <[hidden email]> wrote:
Hi Dulanja,

AFAIK if we use TLS, message will be encrypted and only the server will be able to decrypt the message since TLS key is shared between only the client (browser) and server. This is because at the time of symmetric key exchange, client encrypt the key with the server's public key and send that to the server . Anyway we are not going to use request redirection but a POST request. 


Regards,
Venura


On Thu, Oct 10, 2013 at 11:56 AM, Dulanja Liyanage <[hidden email]> wrote:
Ah, but i guess the jaggery app and the Authentication Framework would be in the same machine, then this won't be a prob if we use LAN address for the POST


On Thu, Oct 10, 2013 at 11:51 AM, Dulanja Liyanage <[hidden email]> wrote:
The problem of sending a POST outside of the internal network is anyone can grab the credentials during wire transfer (if not secured with HTTPS) or at transits (even if secured with HTTPS). Then we need to consider about encryption.


On Wed, Oct 9, 2013 at 10:09 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: +94776764717

_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

venura
Hi,

Is there a web service method to get the tenant domain by providing the user name?

The scenario is the  jaggery application might be deployed within a separate carbon container rather than the IS as described in above mails. Therefore calling the PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain() will not provide the correct answer.

Regards,
Venura


On Thu, Oct 10, 2013 at 2:38 PM, Dulanja Liyanage <[hidden email]> wrote:
Hi Venura,

Yes you are correct. I've had a misunderstanding. Thanks.

Regards
Dulanja.


On Thu, Oct 10, 2013 at 12:36 PM, Venura Kahawala <[hidden email]> wrote:
Hi Dulanja,

AFAIK if we use TLS, message will be encrypted and only the server will be able to decrypt the message since TLS key is shared between only the client (browser) and server. This is because at the time of symmetric key exchange, client encrypt the key with the server's public key and send that to the server . Anyway we are not going to use request redirection but a POST request. 


Regards,
Venura


On Thu, Oct 10, 2013 at 11:56 AM, Dulanja Liyanage <[hidden email]> wrote:
Ah, but i guess the jaggery app and the Authentication Framework would be in the same machine, then this won't be a prob if we use LAN address for the POST


On Thu, Oct 10, 2013 at 11:51 AM, Dulanja Liyanage <[hidden email]> wrote:
The problem of sending a POST outside of the internal network is anyone can grab the credentials during wire transfer (if not secured with HTTPS) or at transits (even if secured with HTTPS). Then we need to consider about encryption.


On Wed, Oct 9, 2013 at 10:09 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Senior Software Engineer

Mobile: +94 71 82 300 20


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
Reply | Threaded
Open this post in threaded view
|

Re: Separating 'My Identity' functionality from management console

Amila Maha Arachchi
We are using the TenantManager normally to get the tenant domain by providing the tenant id. But, AFAIK, this is not accessible via the existing admin services.



On Tue, Nov 26, 2013 at 4:00 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

Is there a web service method to get the tenant domain by providing the user name?

The scenario is the  jaggery application might be deployed within a separate carbon container rather than the IS as described in above mails. Therefore calling the PrivilegedCarbonContext.getThreadLocalCarbonContext().getTenantDomain() will not provide the correct answer.

Regards,
Venura


On Thu, Oct 10, 2013 at 2:38 PM, Dulanja Liyanage <[hidden email]> wrote:
Hi Venura,

Yes you are correct. I've had a misunderstanding. Thanks.

Regards
Dulanja.


On Thu, Oct 10, 2013 at 12:36 PM, Venura Kahawala <[hidden email]> wrote:
Hi Dulanja,

AFAIK if we use TLS, message will be encrypted and only the server will be able to decrypt the message since TLS key is shared between only the client (browser) and server. This is because at the time of symmetric key exchange, client encrypt the key with the server's public key and send that to the server . Anyway we are not going to use request redirection but a POST request. 


Regards,
Venura


On Thu, Oct 10, 2013 at 11:56 AM, Dulanja Liyanage <[hidden email]> wrote:
Ah, but i guess the jaggery app and the Authentication Framework would be in the same machine, then this won't be a prob if we use LAN address for the POST


On Thu, Oct 10, 2013 at 11:51 AM, Dulanja Liyanage <[hidden email]> wrote:
The problem of sending a POST outside of the internal network is anyone can grab the credentials during wire transfer (if not secured with HTTPS) or at transits (even if secured with HTTPS). Then we need to consider about encryption.


On Wed, Oct 9, 2013 at 10:09 PM, Johann Nallathamby <[hidden email]> wrote:
Hi Venura,

This should be done using the application authentication framework we have. As we will be migrating our carbon authenticators also to this it is best to use this framework.

All you need to do is get the username and password of the user (if you are using Basic Authentication) and do a POST to the commonauth servlet. This way the authentication mechanism is independent from your webapp. Only thing is currently we don't have an authenticator that calls the IS webservice APIs for authentication. This could be easily done by writing a new authenticator. Curently we have a Basic Auth authenticator which authenticates with the underlying user store and a SAML SSO authenticator for doing Single-Sign-On.


On Wed, Oct 9, 2013 at 7:32 PM, Venura Kahawala <[hidden email]> wrote:
Hi,

I'm now implementing the log in functionality for the My-Identity app. As per my understanding current user management functionality implemented within jaggery uses OSGI services. This is correct if the mentioned application is only deployed within the IS server and therefore my-identity app is connected to the same user store as the IS. But if we deploy the application within an AS, the scenario might be different. 

This is also acceptable if the AS and IS both connects to the same user store. But in some scenarios  these two server might not be connected to the same user store. 
For example, IS and user store is located within the internal network while AS is located outside the internal network and AS is not connected to the internal user store. But still we need to deploy the my-identity app within the AS since this application is exposed to the end users. 

If we need our application to cater above requirement we need to implement the log in functionality using web services.

Please correct me if I'm wrong.

Regards,
Venura



On Tue, Sep 24, 2013 at 11:39 AM, Venura Kahawala <[hidden email]> wrote:
Hi,

We are in the process of moving the below UI features out from the IS management console. 
  
1. My Profiles
2. Account Recovery
3. My Authorized apps
4. OpenID
5. My SCIM Providers
6. Multifactor Authentication
7. Sign-up


A jaggery application will be implemented with the above mentioned features and deployed within IS server. This application can be accessed via a different port. High level architecture diagram can be seen here [1]. 

Jaggery application will be implemented ad-hearing to the caramel framework.  


Please share your thoughts. 

Regards,
Venura

--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Thanks & Regards,

Johann Dilantha Nallathamby
Senior Software Engineer
Integration Technologies Team
WSO2, Inc.
lean.enterprise.middleware

Mobile - +94777776950



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Dulanja Liyanage
Senior Software Engineer - WSO2 Inc.
M: <a href="tel:%2B94776764717" value="+94776764717" target="_blank">+94776764717



--
Senior Software Engineer

Mobile: <a href="tel:%2B94%2071%2082%20300%2020" value="+94718230020" target="_blank">+94 71 82 300 20




--
Amila Maharachchi
Senior Technical Lead
WSO2, Inc.; http://wso2.com

Blog: http://maharachchi.blogspot.com
Mobile: +94719371446


_______________________________________________
Architecture mailing list
[hidden email]
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture