[Openid-specs-fastfed] notes from June 27, 2019

Fri Jun 28 21:51:15 UTC 2019

Thanks Romain!

A couple folks inquired where to find the spec. Everything is here:
https://bitbucket.org/openid/fastfed/src/master/

I have a few changes to incorporate from the last meeting in May. Was swamped with prepping for the demo, but will complete another revision of the spec by end of August. In the meantime, notes from the May meeting are here:
http://lists.openid.net/pipermail/openid-specs-fastfed/Week-of-Mon-20190513/000183.html

The biggest upcoming change will be to replace the OAuth access_token/refresh_token with a ClientID/clientSecret, and to use different OAuth materials for authn & provisioning activities (to accommodate the scenario where SSO & Provisioning are handled by different backend providers).  The other major thing is that nobody really loves the webfinger discovery bits – so that could change.

No other major changes as far as we know – just fixing little things. When implementing the demo, we actually found the biggest challenges in the UX, not the message flows. One output of the group may include “UX best practices”.

From: Romain Lenglet <rlenglet at google.com>
Date: Thursday, June 27, 2019 at 3:35 PM
To: Erik Gustavson <erikgustavson at google.com>, "McAdams, Darin" <darinm at amazon.com>, Openid-specs-fastfed <openid-specs-fastfed at lists.openid.net>
Subject: notes from June 27, 2019

Hi,
Below are the notes from the WG meeting at Identiverse on June 27, 2019.
- Romain

Attendees
- Chuck Mortimer, Salesforce
- Darin McAdams, AWS
- Erik Gustavson, Google
- Jacob Frederick,  AWS
- Junfeng Wu, Cisco
- Matt Domsch, SailPoint
- Pamela Ding, Microsoft
- Rafael Kabesa, Salesforce
- Rob Otto, Ping
- Romain Lenglet, Google
- Sanjoli Ahuja, ADP
- Wesley Dunnington, Ping

1. Feedback / questions from the demo at Identiverse

- How can I control who can access this app?
- Will Ping Federate support FastFed?
- FastFed addresses a real problem. It will eliminate lots of manual work.
- Got some questions about protocol details.

2. Draft updates

Darin needs to incorporate the feedback notes from the last WG meeting.
Matt requested that the standard supports using a source other than an IdP for user provisioning.

Updating a federation is not (yet) covered by the standard, e.g.
- Enabling provisioning after the fact.
- Update provider metadata.
- Turnoff (already discussed in the last session).
Even if we don't address that now, we should clarify the scope of the standard, e.g. in a FAQ document.

Sailpoint and ADP determined the minimum set of attributes needed for HR extensions, when provisioning from an HRIS to an IdP.
Matt will share with the WG.
3. FastFed adoption

Ping is interested in joining the WG.
It is not easy to get started working on FastFed.
We need a better website front page.
Jacob has sequence diagrams that would be useful for such docs.

There is currently no "security considerations" section in the spec.
We need to get security experts to review the spec. Google and ADT will get resources.

We need to get more "pure" service providers involved to get feedback on the usability of the protocol.
We need more specific guidance to implement FastFed.
In the long-term, integrating with frameworks (Spring, etc.) will help adoption.

We need a test harness to help developers.
Ideally, it would be good to have a reference implementation / mock endpoints.
Both the Google and AWS implementations of the SP and IdP endpoints for the Identiverse demo were developed with that purpose in mind.
Google and AWS will open-source those as reference implementations.

4. Timeline

We'll have to clarify early whether implementers (Google, AWS, etc.) will do any branding around FastFed.

To get broader adoption, we need bigger and more frequent meetings.
We decided to schedule meetings once per month.
We should advertise the meeting calendar on the website to get more attendees.

Erik and Adam aim for an implementers' draft by Aug 2019.
The last review of the draft will be at IIW in Oct 2019.
We'll also try to do interop testing at IIW.

How to bootstrap adoption?
We will need a critical mass of IdPs (Google, Ping, Okta) and trailblazing SPs.
Then we can focus on advertising the standard to a broader SP audience.

5. Action items

- [Jacob, Erik] Write up a FastFed introduction for the website's front page.
- [Pamela] Give Erik access to edit the website.
- [Pamela] Get everyone signed up on the mailing list.
- [Erik, Sanjoli] Get Google and ADT to do a security review.
- [Matt] Share the set of attributes for HR extensions.
- [Erik, Romain, Jacob] Look into the processes to open-source the demo implementations, esp. determine the timelines.
- [Erik] Schedule the next meeting.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20190628/741ab7dd/attachment.html>