On 2/10/2015 2:59 PM, Sam Hartman wrote:
> One of the consistent problems we've had here is what to do when
> a user produces a bad mapping.
> A user goes to a service but sends the wrong identity.
> Or perhaps the desired identity changes over time.
My proposal to address this would be to have the identity manager keep a
timestamped log of the services requesting identities and the identities
returned. We could add a button to the ui to display the log. Then a
user who had a bad/unexpected experience could hand-run the identity
manager, open the log and see the name of the service and the identity
returned, then select that identity and remove the bad service mapping.
Another potential issue is that there is currently no way to view/modify
the service selection rules for an identity, which can include wildcards
and the option to suppress the confirmation dialog. This can be quite
problematic if they cause a match for a service when the user really
wanted a different identity for that service.
Service selection rules can currently only be added/modified via the
webrovisioning tool, moonshot-webp. Adding UI to view/modify the
selection rules in the identity manager might be complex, but a simpler
workaround would be to add functionality to allow users to add a service
mapping manually via and 'add service' button that would prompt the user
to type in the service name by hand. Having such an existing mapping on
the desired identity would override the selection rules causing the problem.
Kevin Wasserman
Painless Security, LLC
---
This email has been checked for viruses by Avast antivirus software.
http://www.avast.com
|