[Openid-specs-fastfed] August 28, 2019 WG meeting notes

Dick Hardt dick.hardt at gmail.com
Wed Aug 28 16:10:14 UTC 2019 

Please let me know of any errors or omissions!
- Dick

*Agenda*

   1.

   Review AI’s from last time
   2.

   Open questions from Brian (Sailpoint)
   3.

   OAuth discussion
   4.

   Multi-app portfolios (i.e. Google, Microsoft, Atlassian)
   5.

   FastFed license


Attendees:

Brian Rose

Erik Gustavson

Darin McAdams

Matt Domsch

Romain Lenglet

Wesley Dunnington

Austin Nicholas

Chuck Mortimore

Dick Hardt

Outstanding AIs (see below for status)

Brian: How does the SP know when the IdP is completed?

Darin: Scenario 1: If user is admin for SP and IdP, they finish the
experience on the IdP. IdP can communicate that process has failed.

Scenario 2: Separate admin for SP and IdP. Process starts by SP Admin.
Process completed by IdP Admin at some point later. The IdP Admin sees the
failure. IdP then magically notifies the SP admin that setup is complete.

Objective is to push complexity onto IdP rather than SP.

Erik:What if the SP admin leaves companies? Is there some way for the SP to
poll to get status of completion?

Brian: Can SP optionally get some way to check the status?

Dick: what happens?

Brian: No. How does the SP know that the IdP got back what it needed and
was successful.

Darin: I was not comfortable with the synchronous nature of last step.

Dick: Add an ack

Austin: our SP won’t be ready to go for 5 minutes

Dick: SP can respond saying “not quite ready, check back in 5”

Eric: let’s add this into the flow

Darin: ok!

Eric: thanks for helping find issues

Brian: I think this deals with my issue

Erik: Atlassian had set up a suite of applications that is setup as a
single application at Google. Atlassian lets users start at SP and initiate
from the specific SP. SPs that have a suite sort it out at their side. They
are more sophisticated.

Darin: FastFed license. How to get a license to use icons in FastFed.
Please check with your legal to see if you have an issue with the license.
https://bitbucket.org/openid/fastfed/src/master/license/FastFedLicense-1.0.txt

Darin: How will the SP get a client ID and secret

Erik: Does not seem like the SP has a long lived access token.

General discussion: the protocol has been symmetric, so useful for SP to be
a client

Darin: how does SCIM work today for getting credentials

Mauna: we do a pre-registration with client ID / secret or use a long lived
bearer token. We will do whatever the SP wants.

Darin: let’s standardize

Chuck: we support asymmetric keys, rarely used. Passing a long lived access
token may break existing code.

(Dick did not take much notes here)

Darin: I have enough feedback to think about this

Erik: cadence? Every 2 weeks









-----------

Last Meeting Notes

Attendees

- Chuck Mortimer, Salesforce

- Darin McAdams, AWS

- Erik Gustavson, Google

- Jacob Frederick,  AWS

- Junfeng Wu, Cisco

- Matt Domsch, SailPoint

- Pamela Ding, Microsoft

- Rafael Kabesa, Salesforce

- Rob Otto, Ping

- Romain Lenglet, Google

- Sanjoli Ahuja, ADP

- Wesley Dunnington, Ping

1. Feedback / questions from the demo at Identiverse

- How can I control who can access this app?

- Will Ping Federate support FastFed?

- FastFed addresses a real problem. It will eliminate lots of manual work.

- Got some questions about protocol details.

2. Draft updates

Darin needs to incorporate the feedback notes from the last WG meeting.

Matt requested that the standard supports using a source other than an IdP
for user provisioning.

Updating a federation is not (yet) covered by the standard, e.g.

- Enabling provisioning after the fact.

- Update provider metadata.

- Turnoff (already discussed in the last session).

Even if we don't address that now, we should clarify the scope of the
standard, e.g. in a FAQ document.

Sailpoint and ADP determined the minimum set of attributes needed for HR
extensions, when provisioning from an HRIS to an IdP.

Matt will share with the WG.

3. FastFed adoption

Ping is interested in joining the WG.

It is not easy to get started working on FastFed.

We need a better website front page.

Jacob has sequence diagrams that would be useful for such docs.

There is currently no "security considerations" section in the spec.

We need to get security experts to review the spec. Google and ADT will get
resources.

We need to get more "pure" service providers involved to get feedback on
the usability of the protocol.

We need more specific guidance to implement FastFed.

In the long-term, integrating with frameworks (Spring, etc.) will help
adoption.

We need a test harness to help developers.

Ideally, it would be good to have a reference implementation / mock
endpoints.

Both the Google and AWS implementations of the SP and IdP endpoints for the
Identiverse demo were developed with that purpose in mind.

Google and AWS will open-source those as reference implementations.

4. Timeline

We'll have to clarify early whether implementers (Google, AWS, etc.) will
do any branding around FastFed.

To get broader adoption, we need bigger and more frequent meetings.

We decided to schedule meetings once per month.

We should advertise the meeting calendar on the website to get more
attendees.

Erik and Adam aim for an implementers' draft by Aug 2019.

The last review of the draft will be at IIW in Oct 2019.

We'll also try to do interop testing at IIW.

How to bootstrap adoption?

We will need a critical mass of IdPs (Google, Ping, Okta) and trailblazing
SPs.

Then we can focus on advertising the standard to a broader SP audience.

5. Action items

- [Jacob, Erik] Write up a FastFed introduction for the website's front
page. (not done)

- [Pamela] Give Erik access to edit the website. (Nat got everyone access)

- [Pamela] Get everyone signed up on the mailing list. (seems like that is
the case)

- [Erik, Sanjoli] Get Google and ADT to do a security review. (outstanding)

- [Matt] Share the set of attributes for HR extensions. ?

- [Erik, Romain, Jacob] Look into the processes to open-source the demo
implementations, esp. determine the timelines. (not done)

- [Erik] Schedule the next meeting. (done!)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20190828/0ed2bbd4/attachment-0001.html>

More information about the Openid-specs-fastfed mailing list