[Openid-specs-fastfed] FastFed Process Clarification

Matt Domsch matt.domsch at sailpoint.com
Mon Aug 19 18:02:16 UTC 2019 

Forwarding on behalf of my colleague Brian Rose, who is developing an internal demo of FastFed, initially with SailPoint as the application.

Matt Domsch
VP, Lead Corporate Architect
matt.domsch at sailpoint.com<mailto:matt.domsch at sailpoint.com>
mobile: 512-981-6486
www.sailpoint.com<http://www.sailpoint.com/>

From: Brian Rose <brian.rose at sailpoint.com>
Subject: FastFed Process Clarification

Hey all,

I have been implementing a demo for the FastFed process for SailPoint.  I have been using the "FastFed Scenario #1A with SAML + SCIM"  document as a basic guideline for the process, which is a great outline for understanding the steps.  I am mostly complete but have run across a something that could use some clarification.

In "Step 9", the IdP makes a POST to the SP's  "fastfed_handshake_finish_uri" endpoint.  This seemingly indicates that the handshake is complete, but at this point, the SP returns information of its own.  The IdP then uses that information to query the SP's SAML metadata and add/import it as a relying party trust.  As far as the SP is concerned, the process is over and has been successfully completed.  Unfortunately, the SP has no way of knowing whether the IDP succeeded in setting up the trust.  In the event that the IdP is unable to finish the process (SAML endpoint error, unable to import, etc.), SSO will not be set up properly but the SP will now have SSO configured with an unusable IdP.

Is this the correct behavior?

I know that the IdP returns an informational page, which could include a success or an error, but that still doesn't provide the SP with any indication of success, especially if the process is kicked off in another tab/popup, as was demoed in the Identiverse video by Darran McAdams and Erik Gustavson.   It seems like there should be a final callback to the SP from the IdP to an actual "handshake finish" endpoint with metadata indicating the results of the final step from the IdP.  This would give the SP the ability to set up polling for completion/error when the process starts and then poll on that flag until it receives a true finish from the IdP, allowing scenarios like a UI refresh or kicking-off dependent backend workflows (logging, auditing, notifications, etc.).

Thanks!

Brian Rose
SailPoint
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20190819/a68ee9b7/attachment.html>

More information about the Openid-specs-fastfed mailing list