[prev in list] [next in list] [prev in thread] [next in thread]
List: esb-java-dev
Subject: Re: [Dev] Using default user attributes provided by Active Directory for SCIM operations
From: Johann Nallathamby <johann () wso2 ! com>
Date: 2020-01-02 4:19:47
Message-ID: CAE-M9tBRoR8juqKWHQfhRms1eDo5fhaR4MzK_dJiKb0eVYv7iw () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (multipart/alternative)]
Hi Gayashan,
On Tue, Dec 3, 2019 at 6:54 PM Gayashan Bombuwala <gayashanb@wso2.com>
wrote:
> Hi all,
>
> Currently when managing users in Active Directory user store with SCIM, we
> have mapped the SCIM core attributes to different attributes[1, 2]
> supported by SCIM.
>
> e.g. urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)->
> http://wso2.org/claims/userid (local claim) -> homePostalAddress (Active
> Directory attribute)
>
> However, there are a set of attributes maintained by Active Directory
> which we can use to map some of core SCIM attributes. We have considered
> the following attributes for the moment.
>
> 1. objectGuid (AD maintained attribute) ->
> urn:ietf:params:scim:schemas:core:2.0:id (SCIM attribute)
> 2. whenCreated (AD maintained attribute) ->
> urn:ietf:params:scim:schemas:core:2.0:created (SCIM attribute)
> 3. whenModified (AD maintained attribute)- ->
> urn:ietf:params:scim:schemas:core:2.0:lastModified (SCIM attribute)
>
> We need to handle the mapping of these attributes in two scenarios.
>
> 1. When reading values from the user store.
> 2. When writing values to the user store.
>
>
> When reading from the user store we can introduce a hook to handle the
> mapping of these special attributes. We can implement the hook in
> AbstractUserStoreManager since local claim to user store property mapping
> is done in that[3] level. When the attributes are mapped we may need to do
> a conversion between data types for some attributes (e.g. objectGuid
> property is stored in AD as an octetSting [3]). This hook will be a method
> with the following signature.
>
> protected void processRetrievedSpecialClaims (Map<String, String>
> specialClaims)
>
Why do we need to have "special" in the method name? Shouldn't all
attribute processing go through this method? Why limit this to certain
claims? We don't need to decide beforehand what claims have to go through
this method. If someone wants to handle certain claim in special way later
on they can extend this particular method.
Regards,
Johann.
>
> However, when writing values to the user store, we need to handle the
> special claims in the user store level [5]. We can do data type conversion
> for special claim values here as well if required.
> We will introduce an abstract hook in the AbstractUserStoreManager level
> but will provide separate implementations in the user store level. This
> hook will be a method with the following signature.
>
> protected void processSpecialClaimsForUpdating (Map<String, String>
> specialClaims)
>
> Note that the above mentioned new behaviour will only be executed if a
> specific user store property is enabled.
> Please let us know if you have any concerns regarding this approach.
>
> Best Regards,
> Gayashan
>
> [1]
> https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning
> [2] http://www.kouti.com/tables/userattributes.htm
> [3] https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet
> [4]
> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/ \
> core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388
> [5]
> https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30e259d7b5/ \
> core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616
>
> --
> *Gayashan Bombuwala*
> Software Engineer | WSO2
>
> Email: gayashanb@wso2.com
> Phone: +94770548334
>
> [image: https://wso2.com/signature] <https://wso2.com/signature>
>
--
*Johann Dilantha Nallathamby* | Associate Director/Solutions Architect |
WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) johann@wso2.com
[image: Signature.jpg]
[Attachment #7 (text/html)]
<div dir="ltr"><div dir="ltr">Hi Gayashan,</div><br><div class="gmail_quote"><div \
dir="ltr" class="gmail_attr">On Tue, Dec 3, 2019 at 6:54 PM Gayashan Bombuwala <<a \
href="mailto:gayashanb@wso2.com">gayashanb@wso2.com</a>> \
wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr">Hi all,<div><br></div><div>Currently when managing users in \
Active Directory user store with SCIM, we have mapped the SCIM core attributes to \
different attributes[1, 2] supported by SCIM.</div><div><br></div><div>e.g. <span \
style="color:rgb(51,51,51)"><font \
face="monospace">urn:ietf:params:scim:schemas:core:2.0:id</font></span><span \
style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif"> (SCIM \
attribute)-> </span><span style="color:rgb(17,17,17)"><font face="monospace"><a \
href="http://wso2.org/claims/userid" \
target="_blank">http://wso2.org/claims/userid</a></font></span><span \
style="color:rgb(17,17,17);font-family:"Lucida Grande","Lucida \
Sans","Microsoft Sans Serif","Lucida Sans \
Unicode",Verdana,sans-serif,"trebuchet ms""> (local claim) -> \
</span><font face="monospace">homePostalAddress</font> (Active Directory \
attribute)</div><div><br></div><div>However, there are a set of attributes maintained \
by Active Directory which we can use to map some of core SCIM attributes. We have \
considered the following attributes for the moment.</div><div><ol><li>objectGuid \
<span style="color:rgb(0,0,0);font-family:-webkit-standard">(AD maintained attribute) \
</span>-> <span style="color:rgb(51,51,51);font-family:"Nunito \
Sans",sans-serif">urn:ietf:params:scim:schemas:core:2.0:id</span><span \
style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif"> (SCIM \
attribute)</span><br></li><li>whenCreated <span \
style="font-family:-webkit-standard;color:rgb(0,0,0)">(AD maintained attribute) \
</span><span style="color:rgb(0,0,0);font-family:-webkit-standard">-> \
</span><span style="color:rgb(51,51,51);font-family:"Nunito \
Sans",sans-serif">urn:ietf:params:scim:schemas:core:2.0:created</span><span \
style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif"> (SCIM \
attribute)</span><br></li><li>whenModified <span \
style="font-family:-webkit-standard;color:rgb(0,0,0)">(AD maintained \
attribute)</span><span style="color:rgb(0,0,0);font-family:-webkit-standard">-</span> \
<span style="color:rgb(0,0,0);font-family:-webkit-standard">-> </span><span \
style="color:rgb(51,51,51);font-family:"Nunito \
Sans",sans-serif">urn:ietf:params:scim:schemas:core:2.0:lastModified</span><span \
style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif"> (SCIM \
attribute)</span><br></li></ol><div><font color="#333333" face="Nunito Sans, \
sans-serif"><span>We need to handle the mapping of these attributes in two \
scenarios.</span></font></div></div><div><ol><li><span \
style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif">When \
reading values from the user store.</span><br></li><li><span \
style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif">When \
writing values to the user store.</span><br></li></ol><div><font color="#333333" \
face="Nunito Sans, sans-serif"><span><br></span></font></div></div><div><font \
color="#333333" face="Nunito Sans, sans-serif"><span>When reading from the user store \
we can introduce a hook to handle the mapping of these special attributes. We can \
implement the hook in AbstractUserStoreManager since local claim to user store \
property mapping is done in that[3] level. When the attributes are mapped we may need \
to do a conversion between data types for some attributes (e.g. objectGuid property \
is stored in AD as an octetSting [3]). This hook will be a method with the following \
signature.</span></font></div><div><font color="#333333" face="Nunito Sans, \
sans-serif"><span><br></span></font></div><div><font color="#333333" \
face="monospace"><span>protected void processRetrievedSpecialClaims (Map<String, \
String> specialClaims)</span></font></div></div></div></div></div></div></div></div \
></div></div></div></div></div></div></div></div></div></div></div></blockquote><div><br></div><div>Why \
> do we need to have "special" in the method name? Shouldn't all \
> attribute processing go through this method? Why limit this to certain claims? We \
> don't need to decide beforehand what claims have to go through this method. If \
> someone wants to handle certain claim in special way later on they can extend this \
> particular method.</div><div><br></div><div>Regards,</div><div>Johann.</div><div> \
> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
> 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
> dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
> dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
> dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
> dir="ltr"><div dir="ltr"><div><font color="#333333" face="Nunito Sans, \
> sans-serif"><span><br></span></font></div><div><font color="#333333" face="Nunito \
> Sans, sans-serif"><span>However, when writing values to the user store, we need to \
> handle the special claims in the user store level [5]. We can do data type \
> conversion for special claim values here as well if \
> required.</span></font></div><div><font color="#333333" face="Nunito Sans, \
> sans-serif"><span>We will introduce an abstract hook in the \
> AbstractUserStoreManager level but will provide separate implementations in the \
> user store level. </span></font><span \
> style="color:rgb(51,51,51);font-family:"Nunito Sans",sans-serif">This \
> hook will be a method with the following signature.</span></div><div \
> style="color:rgb(0,0,0);font-family:-webkit-standard"><font color="#333333" \
> face="Nunito Sans, sans-serif"><span><br></span></font></div><div \
> style="color:rgb(0,0,0)"><font color="#333333" face="monospace"><span>protected \
> void processSpecialClaimsForUpdating (Map<String, String> \
> specialClaims)</span></font></div><div \
> style="color:rgb(0,0,0);font-family:-webkit-standard"><font color="#333333" \
> face="Nunito Sans, sans-serif"><span><br></span></font></div><div \
> style="color:rgb(0,0,0);font-family:-webkit-standard"><font color="#333333" \
> face="Nunito Sans, sans-serif"><span>Note that the above mentioned new behaviour \
> will only be executed if a specific user store property is \
> enabled.</span></font></div><div \
> style="color:rgb(0,0,0);font-family:-webkit-standard"><font color="#333333" \
> face="Nunito Sans, sans-serif"><span> Please let us know if you have any concerns \
> regarding this approach.</span></font></div><div \
> style="color:rgb(0,0,0);font-family:-webkit-standard"><font color="#333333" \
> face="Nunito Sans, sans-serif"><span><br></span></font></div><div><font \
> color="#333333" face="Nunito Sans, sans-serif"><span>Best \
> Regards,</span></font></div><div><font color="#333333" face="Nunito Sans, \
> sans-serif"><span>Gayashan</span></font></div><div><br></div><div>[1] <a \
> href="https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning" \
> target="_blank">https://docs.wso2.com/display/IS570/Configuring+Active+Directory+User+Stores+for+SCIM+2.0+based+Inbound+Provisioning</a></div><div>[2] \
> <a href="http://www.kouti.com/tables/userattributes.htm" \
> target="_blank">http://www.kouti.com/tables/userattributes.htm</a></div><div>[3] \
> <a href="https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet" \
> style="font-family:-webkit-standard" \
> target="_blank">https://docs.microsoft.com/en-us/windows/win32/adschema/s-string-octet</a></div><div>[4] \
> <a href="https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30 \
> e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388" \
> target="_blank">https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7 \
> 592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/common/AbstractUserStoreManager.java#L5388</a></div><div>[5] \
> <a href="https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7592fa30 \
> e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ActiveDirectoryUserStoreManager.java#L616" \
> target="_blank">https://github.com/wso2/carbon-kernel/blob/eb6660d83a4ee29214924c5b7 \
> 592fa30e259d7b5/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/co \
> re/ldap/ActiveDirectoryUserStoreManager.java#L616</a></div><div><div><br></div>-- \
> <br><div dir="ltr"><div dir="ltr"><b style="color:rgb(136,136,136)">Gayashan \
> Bombuwala</b><div style="color:rgb(136,136,136)">Software Engineer | WSO2</div><div \
> style="color:rgb(136,136,136)"><br></div><div style="color:rgb(136,136,136)">Email: \
> <a href="mailto:gayashanb@wso2.com" \
> target="_blank">gayashanb@wso2.com</a></div><div \
> style="color:rgb(136,136,136)">Phone: +94770548334</div><div \
> style="color:rgb(136,136,136)"><br></div><div style="color:rgb(136,136,136)"><a \
> href="https://wso2.com/signature" style="color:rgb(17,85,204)" target="_blank"><img \
> src="http://c.content.wso2.com/signatures/wso2-signature-general.png" \
> alt="https://wso2.com/signature"></a></div></div></div></div></div></div></div></div \
> ></div></div></div></div></div></div></div></div></div></div></div></div></div></div>
> >
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" \
class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div \
dir="ltr"><div dir="ltr"><div><b>Johann Dilantha Nallathamby</b> | Associate \
Director/Solutions Architect | WSO2 Inc.<br>(m) +94 (77) 7776950 | (w) +94 (11) \
2145345 | (e) <a href="mailto:johann@wso2.com" \
target="_blank">johann@wso2.com</a></div><img src="cid:ii_jlzchx6n1" \
alt="Signature.jpg" width="326" height="43" style="margin-right: \
0px;"></div></div></div></div></div></div></div></div></div></div></div></div></div>
--000000000000f8eb4d059b205583--
["Signature.jpg" (image/jpeg)]
_______________________________________________
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic