[Openid-specs-fastfed] Meeting Notes from November 6, 2019

Erik Gustavson erikgustavson at google.com
Wed Nov 6 16:56:11 UTC 2019 

*Note: We will have an in-person meeting in Seattle (specific location TBD)
on Thursday, December 9th, 2019*

Attendees

*Adam Hampton, SailpointBrian Rose, SailpointDarin McAdams, AmazonErik
Gustavson, GoogleGokul Baskaran, TargetMatt Domsch, SailpointWesley
Dunnington, PingZhen Chien Chia, Microsoft*Agenda


* - Date for in-person (https://rallly.co/BJpRUlS5B
<https://rallly.co/BJpRUlS5B>)- Thursday, Dec 12th in Seattle area-
Location TBD- Should the SCIM schema and authorization profiles be defined
in the metadata?- Darin: one constraint is that there is no trust between
the 2 starting parties. Providers might not have metadata urls or not want
them public. Purpose of metadata in FastFed is put just enough info to
allow providers to decide if they can play together.- Brian: FastFed
metadata can hand back the bearer token which could get used to allow the
underlying protocols to discover each other.- Darin: AWS, for example,
might have different URLs for metadata (per tenant)- Erik: Basic question
is after initial FastFed handshake, what if the provider (either side)
wants to update something in the underlying protocols (SSO, SCIM)- Matt &
Brian: What happens if the FastFed service and underlying SCIM or SAML
service gets out of sync in terms of capabilities- Darin: AI to think about
this use case in the context of updates and retries discussion- Matt:
duplication is ok -- intentional - Java spring does not support the
RFC-7523 we need- What other implementations exist already?- Darin:
Salesforce implements this-
https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5
<https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5>-
https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_server_flow.htm&type=5
<https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_server_flow.htm&type=5>-
Atlassian, Apigee as well- Ping does- Brian: The example JSON in Section
2.2 shows OIDC as an available authentication profile. In Section 6.6, what
would this look like if the handshake is using OIDC instead of SAML?-
Darin: not sure as we punted on OIDC for now given questions about how it
would work.- Brian: Would we take the references out of the spec?-
Darin/Erik: let’s narrow now and bring it back in if we get consensus- For
in person (Dec 9) meeting- duplicates, updates, retries*Next Call

   -

   Nov 20th, 2019
   -

   Hangout: https://meet.google.com/wht-tipi-uoa
   -

   Phone: ‪+1 832-509-0551‬ PIN: ‪164241‬#
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191106/55a30de1/attachment-0001.html>

More information about the Openid-specs-fastfed mailing list