Provisioning
Provisioning means Create, maintain and delete user accounts and related identities in one or more systems or applications.
Let’s say WSO2 use some cloud applications like gmail, sales force and some other cloud applications. So when a new employee joins to WSO2 HR manager needs to create accounts for each applications (gmail, salesforce..) in order to give the access to the new employee. So if we have a provisioning system then there is no need of creating the accounts separately. HR manager only needs to create the user one time. If he creates one time other application also will create the same user at the same time as shown below.
I hope you got the basic need of provisioning? right? :)
So provisioning is going to work as follows.
Do you think any drawbacks when you see this flow? (Yes right?). Yah your thinking is correct. It is redundant to have multiple connectors for each application. As a summary the following are the main drawbacks of having a flow shown in picture3.
- Redundant integration efforts for ECS & CSP.(See picture4)
- Maintenance nightmare of multiple connectors.
- Complexity and cost.
So that we need to come up with a common standard to talk with each application as follows.(picture 5)
That common protocol for provisioning is called SCIM (Simple Cross Domain Protocol). In WSO2 we are using SCIM for three type of provisioning such as inbound provisioning, outbound provisioning and JIT provisioning.
Inbound Provisioning
Lets talk about inbound provisioning first. Lets say there is an application called App1, whenever a user is created in App1 if our IS want that user to be created in IS as well, then IS must be configured for inbound provisioning. Following the following steps to configure IS for inbound provisioning.
Inbound provisioning can be configured by two methods
- Using Resident identity provider
Here you have to select the user store in which you wanted to store the user.
You can send the scim request from your App1 to IS as follows
curl -v -k — user <user_name>:<password>— data “{“schemas”:[],”name”:{“familyName”:”kayal",”givenName”:”Nilasini"},”userName”:”nila",”password”:”nila2",”emails”:[{“primary”:true,”value”:”nilasini2@wso2.com”}]}” — header “Content-Type:application/json” https://localhost:9443/wso2/scim/Users
2. Using service provider
This method is used when your application is allows for OAuth. If your application is only allow basic authentication then use the 1st method.
Before sending the scim request from App1 to IS, first need to register the App1 as a service provider to IS and get the client key, secret. Then get the access token.
After that send the scim request (from App1 to IS) with the access token as follows.
curl -v -k — header “Authorization: Bearer <access_token>” — data ‘{“schemas”:[],”name”:{“familyName”:”fernando",”givenName”:”yohanna"},”userName”:”yohanna",”password”:”yohanna",”emails”:[{“primary”:true,”value”:”yohanna2@wso2.com”}]}’ — header “Content-Type:application/json” https://localhost:9443/wso2/scim/Users
Inbound provisioning is clear right?? If not please go through the reference links and get the clear understanding :).
Outbound provisioning
Outbound provisioning means, when you create a user in identity server it must be created in the other application (name the application as APP2).
So here instead of talking a 3rd party application APP2, I am going to take our two IS instances to explain this topic. Let’s say I am having two IS (called internal IS, external IS.). When a user created in internal IS the same user must be created in external IS as well.
First I need to configure internal IS for outbound provisioning and then need to configure external IS for inbound provisioning discussed above.TO do that first I need two IS instances. I am going to use port off set to run two IS at the same time. To do that you need to execute the following command when executing external IS so that it will run on port 9444 while internal IS will run in the usual port 9443.
sh wso2server.sh -DportOffset=1
Configure internal IS for outbound provisioning
First thing you need to create an Identity provider (that identity provider is external IS) with following configuration.(You can add IP using “add” under the Identity provider in the left pane of WSO2).
This outbound provision connector has the endpoint and authentication details of the external IS.
Now we need to tell to our internal IS to do the outbound provisioning. Same as inbound provisioning there are two ways to do this. Using resident service provider or using service provider. Following picture shows the way of using resident identity provider for inbound provisioning.
Configure external IS for inbound provisioning
JIT provisioning
JIT provisioning which allows to create user accounts automatically for the sign-on users in the Identity Server.Just-in-time provisioning talks about how to provision users to the identity server — at the time of federated authentication.
A service provider initiates the authentication request, the user gets redirected to the Identity Server and then Identity Server redirects the user to an external identity provider for authentication. Just-in-time provisioning gets triggered in such a scenario when Identity Server receives a positive authentication response from the external identity provider. The Identity Server will provision the user to its internal user store with the user claims from the authentication response.
For example first configure “travelocity.com” as a service provider and add Google as a federated authenticator. Then when you try to login to travelocity.com it will redirect you to google login page. So If our IS want that user to be stored in IS then IS configure jit provisioning. The details of these configurations will be updated soon :)
References
[1] http://blog.facilelogin.com/2014/10/wso2-identity-server-500-provisioning.html
[3]http://sunethpubudu.blogspot.com/2014/06/enabling-user-login-using-google.html
