[Openid-specs-fastfed] FastFed doc for discussion
Phil Hunt
phil.hunt at oracle.com
Tue May 16 17:08:21 UTC 2017
Darin,
Thanks for getting this initial strawman out the door. This is a *really* good document and will move us forward greatly!
I’ve had a chance to review the document and a couple things come to mind.
In general:
A. Use of user-agent to facilitate registration. I think we may be looking for an API approach. Also, technically, I think securing redirects is tough business.
B Use of initial access tokens and software statements - I think we should talk about the use cases a bit more. In some cases software statements - especially ones generated by a certification agency (e.g. OIDF or OIX) could be a way to trust a registrant. Initial access tokens could be used as a way for an administrator to obtain registration permission manually in adhoc scenarios.
Regarding the flows...
1) who can access the service?
this is unclear - can we choose between SCIM groups vs. entitlement?
2) Are we going to describe support for “Provisioned” (all user attributes have been propagated)
vs. JIT (provisioning from the token) vs. Virtual (no long term retention of user attributes).
3) How far to go with describing directory sync? Is this in or out-of-scope? I think the enterprise cases will definitely want this. Either from Fast Fed or another WG.
4) Secevents signals can be exchanged between the two; these should probably be included in scope given that RISC is well underway. Encouraging Product Managers to get their products to support FastFed and federation events is probably a big payoff.
5) Define the "App Admin” role. Is this the person at ACME corporation (the tenant) who wants to bind one or more ACME controlled IdPs as a source of identity for the SaaS service?
6) There is a role for a trusted intermediary creating signed software statements qualifying the SaaS application, ensures that
the SaaS application isn’t bogus. This could be done by OIDF, or it could be done by major host providers for their SaaS app communities. E.g. Google, Oracle, MS can issue statements for SaaS apps they offer or host. Thus, OIDC OPs can simply configure trust of a small set of issuers for most cases.
Thanks again,
Phil
Oracle Corporation, Identity Cloud Services Architect & Standards
@independentid
www.independentid.com <http://www.independentid.com/>phil.hunt at oracle.com <mailto:phil.hunt at oracle.com>
> On May 3, 2017, at 9:08 AM, McAdams, Darin via Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net> wrote:
>
> Just chatted with Mike. He'll be hosting a session today on OTTO schemas
>
> Sent from my mobile
>
> On May 3, 2017, at 8:15 AM, Nat Sakimura <n-sakimura at nri.co.jp <mailto:n-sakimura at nri.co.jp>> wrote:
>
>> Perhaps we can try to grab Mike S. today to figure out what can be done re: OTTO. <>
>>
>> Nat Sakimura
>>
>> --
>> PLEASE READ :This e-mail is confidential and intended for the
>> named recipient only. If you are not an intended recipient,
>> please notify the sender and delete this e-mail.
>>
>> From: Openid-specs-fastfed [mailto:openid-specs-fastfed-bounces at lists.openid.net <mailto:openid-specs-fastfed-bounces at lists.openid.net>] On Behalf Of McAdams, Darin via Openid-specs-fastfed
>> Sent: Wednesday, May 3, 2017 10:35 PM
>> To: openid-specs-fastfed at lists.openid.net <mailto:openid-specs-fastfed at lists.openid.net>
>> Subject: Re: [Openid-specs-fastfed] FastFed doc for discussion
>>
>> Hi all,
>> Let me know if there's a specific area you'd like to dive into (or you can host the session).
>>
>> The hot topic I noted yesterday was an open question around alignment with OTTO from Kantara, especially the representation of metadata. Since I know little of OTTO, will try to find someone from that group to volunteer.
>>
>> Sent from my mobile
>>
>> On May 2, 2017, at 11:18 PM, Dick Hardt <dick.hardt at gmail.com <mailto:dick.hardt at gmail.com>> wrote:
>>
>> For those of us at IIW, we had a session today, and will have another session tomorrow on FastFed.
>>
>> On Sun, Apr 30, 2017 at 5:27 PM, 富士榮尚寛 via Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net <mailto:openid-specs-fastfed at lists.openid.net>> wrote:
>> Hello Darin,
>>
>> apologize for less contribution.
>>
>> From my experience, in some case we have to consider for a scenario
>> that supporting multiple instances of the same SP for a single IdP
>> instance. Because almost all enterprise have dev/qa/prod instances for
>> the same applications, but in some case they do not want to have
>> multiple instances of IdP. For example, my customer are using G Suite
>> dev/prod instances which were configured SSO with single Azure AD.
>>
>> So my proposal for your question on page 8, at least application name
>> should be obtained from fastfed-discovery endpoint, like G Suite for
>> dev, so that admins recognize SP's instance.
>>
>> Regards,
>> Naohiro
>>
>> 2017-04-30 12:06 GMT+09:00 McAdams, Darin via Openid-specs-fastfed
>> <openid-specs-fastfed at lists.openid.net <mailto:openid-specs-fastfed at lists.openid.net>>:
>> > Hi all,
>> >
>> > Doc attached, including a set of Open Issues that may be good for
>> > discussions. See many of you next week.
>> >
>> > -Darin
>> >
>> >
>> > _______________________________________________
>> > Openid-specs-fastfed mailing list
>> > Openid-specs-fastfed at lists.openid.net <mailto:Openid-specs-fastfed at lists.openid.net>
>> > http://lists.openid.net/mailman/listinfo/openid-specs-fastfed <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfastfed&d=DwMFAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=DIpWRxBqCD7w8EwTUg2e_V7cCV7Y6V3kXK3XSB3noFE&s=CKtWUoWymQjX9gEOwC-dFy_c8PDVB-q-VeSv4-okR5A&e=>
>> >
>> _______________________________________________
>> Openid-specs-fastfed mailing list
>> Openid-specs-fastfed at lists.openid.net <mailto:Openid-specs-fastfed at lists.openid.net>
>> http://lists.openid.net/mailman/listinfo/openid-specs-fastfed <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfastfed&d=DwMFAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=DIpWRxBqCD7w8EwTUg2e_V7cCV7Y6V3kXK3XSB3noFE&s=CKtWUoWymQjX9gEOwC-dFy_c8PDVB-q-VeSv4-okR5A&e=>
>>
>>
>>
>> --
>> Subscribe to the HARDTWARE <https://urldefense.proofpoint.com/v2/url?u=http-3A__hardtware.com_&d=DwMFAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=DIpWRxBqCD7w8EwTUg2e_V7cCV7Y6V3kXK3XSB3noFE&s=8GYjEynbbuK48Gw_TXnxihZ6XRKsw7zUZxad7rCTwdI&e=> mail list to learn about projects I am working on!
> _______________________________________________
> Openid-specs-fastfed mailing list
> Openid-specs-fastfed at lists.openid.net <mailto:Openid-specs-fastfed at lists.openid.net>
> https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfastfed&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=DIpWRxBqCD7w8EwTUg2e_V7cCV7Y6V3kXK3XSB3noFE&s=CKtWUoWymQjX9gEOwC-dFy_c8PDVB-q-VeSv4-okR5A&e= <https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfastfed&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=DIpWRxBqCD7w8EwTUg2e_V7cCV7Y6V3kXK3XSB3noFE&s=CKtWUoWymQjX9gEOwC-dFy_c8PDVB-q-VeSv4-okR5A&e=>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20170516/76cd7177/attachment-0001.html>
More information about the Openid-specs-fastfed
mailing list