[Openid-specs-fastfed] Oct 9, 2019 WG meeting notes

Erik Gustavson erikgustavson at google.com
Thu Oct 10 01:33:31 UTC 2019


Hi folks,

Here's the notes from today's call.

-Erik

Attendees

Erik Gustavson, Google

Matt Domsch, Sailpoint

Adam Hampton, Sailpoint

Gokul Baskaran, Target
Agenda

   -

   Sailpoint has continued work on the demo, some questions about
   implementation:
   -

      Where does key information come to validate the response from the IdP?
      -

      In Section 7.2.3.2 -- bullet #2, #3 logically come before #1
      -

         Should make this numbered to make impl easier?
         -

   Review of the doc that Brian sent a few weeks ago
   -

      Matt: Governance provider flow -- comments?
      -

      Erik: Would this work if we sub Governance for any other future
      service? This is somewhat FastFed update flow (i.e. FastFed provider has
      new capabilities)
      -

      Matt: So is FastFed idempotent thhen?
      -

      Erik: perhaps only if there’s nothing new at the IdP? We should try
      doing this flow in the simple case
      -

      Matt: Directionality wasn’t really resolved
      -

      Erik: discussed at IIW - any other cases besides HRM use case?
      -

      Matt: ADP was asked to push into the IdP. Primary model is still IdP
      acts as client to SP’s server. Spec is still too vague here. (4.1.4)
      -

         Can we clear up what
         "urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" means in
         terms of directionality?
         -

         Erik: Should we just require directionality (client vs server)
         returned in 4.1.4 (“capabilities”)?
         -

         Erik: let’s discuss in two weeks with more of the group
         -

      Gokul: Do we want to be opinionated about users and groups in
      provisioning?
      -

   Risk analysis or guidance during any self-service flows
   -

      If IdP automates acceptance of the FastFed handshake, what guidance
      on best practices should we have in the standard? I.e don’t
depend on there
      being a human who is reviewing the federation/provisioning request
      -

      Erik: Think this is up to IdP impls
      -

      Gokul: What about high value or high assurance apps like a Salesforce?
      -

      Erik: I think this is about identifying SPs so IdP knows how to
      handle them. During handshake do we provide enough information
to know how
      to handle different flows after handshake?
      -

      Gokul: Could we have self-service of handshake in the current model
      if there are different levels of application assurance?



Next Meeting

October 23, 2019

   -

   Hangout: https://meet.google.com/wht-tipi-uoa
   -

   Phone: +1 832-509-0551‬ PIN: ‪164 241‬#



-- 

Erik Gustavson

erikgustavson at google.com

Engineering Manager - Cloud Identity

415-736-3425
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191009/62dc408f/attachment.html>


More information about the Openid-specs-fastfed mailing list