[Openid-specs-fastfed] Oct 9, 2019 WG meeting notes
Erik Gustavson
erikgustavson at google.com
Thu Oct 10 01:33:31 UTC 2019
Hi folks,
Here's the notes from today's call.
-Erik
Attendees
Erik Gustavson, Google
Matt Domsch, Sailpoint
Adam Hampton, Sailpoint
Gokul Baskaran, Target
Agenda
-
Sailpoint has continued work on the demo, some questions about
implementation:
-
Where does key information come to validate the response from the IdP?
-
In Section 7.2.3.2 -- bullet #2, #3 logically come before #1
-
Should make this numbered to make impl easier?
-
Review of the doc that Brian sent a few weeks ago
-
Matt: Governance provider flow -- comments?
-
Erik: Would this work if we sub Governance for any other future
service? This is somewhat FastFed update flow (i.e. FastFed provider has
new capabilities)
-
Matt: So is FastFed idempotent thhen?
-
Erik: perhaps only if there’s nothing new at the IdP? We should try
doing this flow in the simple case
-
Matt: Directionality wasn’t really resolved
-
Erik: discussed at IIW - any other cases besides HRM use case?
-
Matt: ADP was asked to push into the IdP. Primary model is still IdP
acts as client to SP’s server. Spec is still too vague here. (4.1.4)
-
Can we clear up what
"urn:ietf:params:fastfed:1.0:provisioning:SCIM:FullLifeCycle" means in
terms of directionality?
-
Erik: Should we just require directionality (client vs server)
returned in 4.1.4 (“capabilities”)?
-
Erik: let’s discuss in two weeks with more of the group
-
Gokul: Do we want to be opinionated about users and groups in
provisioning?
-
Risk analysis or guidance during any self-service flows
-
If IdP automates acceptance of the FastFed handshake, what guidance
on best practices should we have in the standard? I.e don’t
depend on there
being a human who is reviewing the federation/provisioning request
-
Erik: Think this is up to IdP impls
-
Gokul: What about high value or high assurance apps like a Salesforce?
-
Erik: I think this is about identifying SPs so IdP knows how to
handle them. During handshake do we provide enough information
to know how
to handle different flows after handshake?
-
Gokul: Could we have self-service of handshake in the current model
if there are different levels of application assurance?
Next Meeting
October 23, 2019
-
Hangout: https://meet.google.com/wht-tipi-uoa
-
Phone: +1 832-509-0551 PIN: 164 241#
--
Erik Gustavson
erikgustavson at google.com
Engineering Manager - Cloud Identity
415-736-3425
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191009/62dc408f/attachment.html>
More information about the Openid-specs-fastfed
mailing list