Identities from legacy domains #11
Comments
|
You may think I'm again not very kind, but probably it would be wise to finish the ongoing work about identity before going to new developments. |
|
I agree with @sbecot and I think the main legacy interworking (IMS) may be addressed in D6.2. Abot the architecture displayed in the dedicated page I have multiple questions: what exactly is IWStub ? some kind of ProtoStub ? where does it come from ? what impact on the "legacy domain" ? what is IWHyperty ? |
|
these are specs for phase 2 and we are analysing the impact of legacy interworking in the core framework. |
|
I support @sbecot, we should finish the functionality of existing areas before going into new domains. @aoncorici is driving the interoperability issue for D6.2 sufficiently. Any additional work items should follow solutions for having more than one identity provider. |
|
@emmelmann-fokus these are only specs and, as previously agreed, this is a topic to be included in D3.5 to analyse the impact of legacy interworking in the core framework. This has been a joint work between WP3 and WP6. |
|
The IDM component (regarding phase 1) is basically done. Nevetheless, I agree that interoperability with legacy domains should be left for D6.2. There are many aspects that are unclear to me at the moment, related with the how to interact with legacy domains via rethink, and I suspect that many issues will appear that need to be thought and discussed to solved them. Definitely to be discussed in the coming meeting. |
|
@Ricardo-Chaves there is an impact on the Core Framework and namely on the Core Runtime that we should take into account in D3.5. We should not leave the discussion for the F2F meeting. I'm afraid that would be too late. The high level view of the integration seems clear too me (pls see here ) but of course it still requires to be completed as noted by @jmcrom . |
|
@pchainho given my concerns (see this issue) I would not say the high level view is clear @Ricardo-Chaves I do not see any Identity GUI |
|
@jmcrom just check my comments :) |
|
@jmcrom The identity GUI is in this pull request reTHINK-project/dev-runtime-browser#57 There is a problem in the Runtime-browser that cannot use the new Runtime Core distributions. Because the identity GUI requires the new runtime core distribution, the example fails. |
|
Here is the proposal that fully reuses the existing IDM mechanisms and thus have a minimum impact in terms of development: 1- the GUI Manager is used to authenticate and generate access tokens for Legacy Domains. This would trigger the deployment of a IWIdPProxy that would be used to generate the access token to be handled by the IDM. 2- when routing messages to protostubs, the IDM/Policy Engine verifies the target is a legacy domain ie IWStub, and it doesn't use the mutual authentication process. Instead, it adds an access token that was previously generated. If there is no access token yet, step 1 is performed ie the deployment of IWIdPProxy and the generation of the access token is performed. |
|
In terms of implementation tasks we have:
|
|
It's not the GUI that authenticates the user, it only provides the means to select an identity. Similarly, the GUI can't 'generate token' because they must be signed by an a trusted service (Authorization Server in case of Access Token, though I'm not sure why you want access tokens). There is two main functions, generation and verifications of identity assertions. And there is two scenarios, either the function is executed on the standard reThink side, or the function is executed on the legacy side. If either functions are done on the standard reThink side, nothing changes. You want to generate an assertion, you call the selected IdP Proxy, you want to verify it, you call the provided IdP Proxy. tl;dr; nothing to change on the runtime However, what changes is when one of these functions is done on the legacy side. From what I understand, there are no runtime on the IW side (IMS?). So the generation and verification of assertions must be done by IMS components responsible for this kind of functions. http://fr.slideshare.net/Quobis/security-and-identity-management-on-webrtc BTW, these slides are made by Quobis @antonroman. |
|
on the IMS part I have 2 comments:
@Sparika to my knowledge WAC is a product made by Quobis to interoperatie with existing communications systems (see here). I wonder how it maps to WWSF... @antonroman should know better |
|
We worked on this (Ibrahim and me) in the IETF draft, but cut it out in the end to shorten it. In a previous IETF Draft we had the following: Interconnection of WebRTC services with IMS network is specified by 3GPP in [3GPP TS 24.371] which is now included in the main IP Multimedia Subsystem (IMS) architecture [3GPP TS 23.228]. This document specifies the WIC (WebRTC IMS Client) which is installed at the device, enabling it to contact the local eP-CSCF, and access the IMS system. However, the IMS authentication requires that WebRTC CS users are allocated IMS identities, temporarily or permanently. IMS and WebRTC services need to interwork in two ways:
To use IMS procedures to authenticate WebRTC CS users who do not have existing IMS accounts, they should be assigned IMS identities. Their IdP identity is authenticated first. Then, the CS assigns an IMS public number (IMPU) that is associated with the user's private number (IMPI). These identities are supplied by the CS from a pool of valid MSISDN numbers that an IMS operator has allocated to the CS. With the allocated IMS identities and the WIC client, users can be authenticated by IMS standard procedures, whether they connect to IMS or to other WebRTC users. |
|
As agreed today: 1- Discover the GUID from the Global Discovery by using some user identifier |
|
thank you :) |
|
@pchainho For the 5th point is it really ".../.well-known/protocolstub/."? Shouldn't it be ".../.well-known/protocolstub/"? |
|
For the point 2 I think we should add the possibility to add non-rethink identities. This way, the identity model can be applied to any legacy application (sip or Web), etc... |
|
following Lisbon meeting I drafted this to map reTHINK concepts to functional entities introduced in 3GPP TS 24.371
any feelings? |
|
dear Jean-Michel, thank you for the diagram, I will have to check what the equivalent of WWSF is in out case. Can you please upload the source of the diagram on: https://github.com/reTHINK-project/testbeds/tree/master/docs/D6.2. |
|
done! it's called IMSinterop.pptx |
The current specs to support interoperability with legacy domains proposes the possibility to associate a second legacy identity to hyperties when interworking with legacy services.
One option could be not to associate this second legacy identity during deploy time but only when the Hyperty is interworking with legacy services. It would require from the IdM:
The text was updated successfully, but these errors were encountered: