Menu
▾
▴
Re: [Unity-idm-discuss] Feedback from an AAI Workshop (about UNITY)
|
From: Krzysztof B. <go...@ic...> - 2014-01-27 14:11:28
|
Hi Shiraz, Nice to hear from you&LSDMA! W dniu 27.01.2014 13:47, Shiraz Memon pisze: > Hi Krzysztof, > > Last week we had a workshop dedicated to AAI & IdM (as a part of the > LSDMA project). Whereby Unity appears to be quite important and going to > play a key role in the project. There were some initial but interesting > questions by meeting participants, though: > > Querying User's Attributes: > i) Can one query a user's group information from unity "without" Web > interface? Yes. It is possible with the SAML SOAP endpoint. SAML Attribute query protocol allows you to query for regular attributes, but additionally Unity can be configured (and by default is) to provide an additional dynamic attribute with the subject's group information. Unity allows for both self (what are my attributes?) and 3rd party (what are attributes of X?) queries, subject to site's authZ policy (see below). In future also an another, RESTful endpoint is planned, which can be considered a more lightweight - but not standards compliant - alternative. However this is not yet scheduled so any requirements are welcome. > ii) Is it only the user who can query the group information about > herself or any user holding specific (privileged) role, should be > allowed to do that? This is up to site's policy of course, but yes - you have a role (or actually several roles: Inspector, Contents Manager and System Manager) which can be assigned to users so they can read the information about other users. This applies to any access mean - web interface, SAML or anything that will be available in the future. What is more, authZ in Unity is configured per-group, so you can provide those additional privileges to selected users only in a subset of Unity tree. However for listing all groups this makes no much sense as the information is global by definition (*all* groups). > iii) In addition to that, what authentication (pki, username/password) > as well as saml protocol (ECP, SOAP,... etc) will be used to perform > such operation? So you knew it will be SAML ;-) You can use any protocol supported by Unity. Currently as noted above you have one non-web option: SAML with SOAP binding. Protocol: SAML Attribute Query protocol. You can also use SAML Authentication Protocol, but this is limited to self queries. Authentication: as configured per endpoint. Currently user name & password via HTTP Basic and/or client authenticated TLS are implemented. Supporting other (as username&password via WS-Security Username Token) can be added almost immediately if needed - this is trivial in Unity. > Support for external/upstream SAML IdPs: I am aware of the fact that the > support for external IdPs is imminent in the next release, which is > 1.1.0. Is there a tentative timeline we can anticipate? 2nd half of February. Currently this is nearly finished (e.g. all interop tests with Shib IdP are already passed), but also SAML Metadata support is planned and must be implemented. > Group management: Are the ordinary members of a group (beside > administrator) allowed to create sub-groups within? Here the answer is no, currently. I.e. one needs at least the Contents Manager role to create a group. You can assign this role for a user in a particular group, what probably won't be enough for your use case, as such role allows also for many other management actions in the group. I guess that this question is related to the self managed team work, where ordinary users can create their 'own' group, become its administrator, invite coworkers, (maybe even assign attributes in the group) and relaying services can use this information? If so, this is already designed in details for Unity, but not yet implemented. Self-managed group API is even defined and its implementation will be pretty simple. The bigger issue is the UI part. Pure 'create a group' UI is trivial, but for such feature we will need also flexible invitation/application support, simplified group management etc etc. Of course collaboration on this topic will be appreciated. Best regards, Krzysztof |
