[Openid-specs-fastfed] FastFed Requirements

Hardt, Dick dick at amazon.com
Wed Jun 7 22:06:39 UTC 2017


I understand the tenant. What is the assumption though? Are you questioning the tenant? A goal of a tenant would be to guide decisions. This one would guide us to push complexity to the IdP vs the app all other things being equal. Having tenants helps make decisions, which seems valuable.

On 6/7/17, 2:50 PM, someone claiming to be "Phil Hunt (IDM)" <phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>> wrote:

Tenant 4. The one darin asked about.

Phil

On Jun 7, 2017, at 2:38 PM, Hardt, Dick <dick at amazon.com<mailto:dick at amazon.com>> wrote:
Which assumption are you referring to Phil?

On 6/7/17, 2:22 PM, someone claiming to be "Phil Hunt (IDM)" <phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>> wrote:

I am not seeing the value of the assumption.

Phil

On Jun 7, 2017, at 2:04 PM, McAdams, Darin via Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>> wrote:
Anyone disagree with the tenet under discussion?

  #  Tenet 4) Push Implementation Complexity onto IdPs

The discussion has been about the numbers and ratios, but returning to the main question: if we face a choice between pushing implementation complexity onto an IdP implementer vs a SP implementer, does anyone disagree about pushing complexity onto the IdP implementer?

The IdP _administrator_ (as opposed to the implementer) is also important. When using a hosted provider, the admin should see FastFed capabilities “just appear” when the provider launches it. Admins running their own installation will upgrade to a newer release to get the capabilities. The heavy lifting has been done by their chosen vendor.

From: Openid-specs-fastfed <openid-specs-fastfed-bounces at lists.openid.net<mailto:openid-specs-fastfed-bounces at lists.openid.net>> on behalf of "openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>" <openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>>
Organization: Gluu
Reply-To: Mike Schwartz <mike at gluu.org<mailto:mike at gluu.org>>
Date: Wednesday, June 7, 2017 at 1:48 PM
To: "Hardt, Dick" <dick at amazon.com<mailto:dick at amazon.com>>
Cc: "openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>" <openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>>
Subject: Re: [Openid-specs-fastfed] FastFed Requirements

I agree that IdP vendors < SaaS providers; I don't agree that IdP's <
SaaS providers. But if we're talking about admins, why aren't we valuing
IdP admins?

Regarding the ratio... what we find is that the minority of SaaS
providers support inbound SAML (and almost none support inbound OpenID
Connect). That's why so many SSO services are still pushing passwords.

Generally, SaaS providers get serious about supporting SAML when they
get a critical mass of requests from their customers. At that point,
they can justify the SAML investment. So it's mostly just the larger
SaaS providers. Even fewer support OpenID Connect (almost none, Amazon
being one of the exceptions).

- Mike



On 2017-06-07 15:06, Hardt, Dick wrote:
On 6/7/17, 12:38 PM, someone claiming to be "Openid-specs-fastfed on
behalf of openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>"
<openid-specs-fastfed-bounces at lists.openid.net<mailto:openid-specs-fastfed-bounces at lists.openid.net> on behalf of
openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>> wrote:
     More organizations have IDPs then SaaS providers support federated
     authentication. Frankly, SaaS providers only support federated
authn
     when they get enough demand from customers, which sort of speaks to
the
     ratio I am positing.
Mike: I’m confused what ratio you are implying here. Would you clarify?
_______________________________________________
Openid-specs-fastfed mailing list
Openid-specs-fastfed at lists.openid.net<mailto:Openid-specs-fastfed at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fastfed<https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfastfed&d=DwMGaQ&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=hlvgBEMYkMpg3CZ6fBTaeFRmps3bOvInrfYzOzJj7Yo&s=c5yjyRPQz32cSzcuxUZ7jTwOqCBw7K82oEn2gJoi91c&e=>

_______________________________________________
Openid-specs-fastfed mailing list
Openid-specs-fastfed at lists.openid.net<mailto:Openid-specs-fastfed at lists.openid.net>
https://urldefense.proofpoint.com/v2/url?u=http-3A__lists.openid.net_mailman_listinfo_openid-2Dspecs-2Dfastfed&d=DwICAg&c=RoP1YumCXCgaWHvlZYR8PQcxBKCX5YTpkKY057SbK10&r=JBm5biRrKugCH0FkITSeGJxPEivzjWwlNKe4C_lLIGk&m=hlvgBEMYkMpg3CZ6fBTaeFRmps3bOvInrfYzOzJj7Yo&s=c5yjyRPQz32cSzcuxUZ7jTwOqCBw7K82oEn2gJoi91c&e=
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20170607/f89c3b55/attachment.html>


More information about the Openid-specs-fastfed mailing list