[Openid-specs-fastfed] FASTfed Call Notes Aug 30

[Phil Hunt]

Here are the minutes, feel free to amend with corrections and additions.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>


Dick has not made progress due to holidays (as have others).

Roles/Groups/Entitlements are slightly different but heavily overlapping.  Do apps use one or two or do they pick one of them?

John - he finds companies tend to pick a pattern, but no consistency. Phil there seems to be transition.  Pam explained that roles tend to often be single valued and tend to be fixed (what is your job role).  Entitlements can be one-off additional rights added to a user.  However, there doesn’t seem to be a consistent model.

Pam - there is a mapping problem between what the IDP has vs. what the app wants.

What are the patterns?

We talked about how some Cloud providers (Google, Amazon, MS, Oracle) might be more directory centric vs. some are just provision my apps.  E.g. putting someone in a group drives their access to apps.

There did not seem to be a clear model in the discussion for how entitlements, roles, vs. groups are modelled.  Dick raised should we just choose one?

Pam We can drop a stake or we do a data driven survey?    We also need to figure out what is the minimum required?  Governance is a slippery slope.  How does the next developer get things configured so that the IDP can assert the correct data?

The group discussed that we should do a survey of what we can, and then put a stake in the ground?

Pam suggested building a story based description of the requirements.  Ping has profiled a number of apps. Most apps need to know are you an employee, partner, or customer?  Pam suggested maybe they could start a template.

Dick reports that the Amazon SaaS apps tend to all support roles. Somebody configures the relationship between groups and roles.  Almost every app that we have is app specific, they are not centralized or federated.

Dick: Could groups in the IDP be mapped to roles in the application as an approach?  
There did not seem to be a clear answer.

Mike: as with Phil there is not a lot of consistency right now and I’m not sure we can impose a particular world view.  Though may be we can start.

Dick we want to avoid a customizable engine model where mappings have to be configured?

Mike - suggested maybe there is a discovery process that publishes the available roles etc.  Then the IDP admin can configure their mapping.

Lots of discussion, but the general feel is to put a stake in and see how people feel.

Pam agreed to look at some of the models and report back. Phil will also try to do some of the same.

Meeting ended at 8:56 Pacific.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20160830/07e0338f/attachment.html>