[Openid-specs-fastfed] Meeting Notes from November 6, 2019

Wed Nov 6 16:57:21 UTC 2019

correction: in person meeting will be Thursday, *Dec 12*, 2019

On Wed, Nov 6, 2019 at 8:56 AM Erik Gustavson <erikgustavson at google.com>
wrote:

> *Note: We will have an in-person meeting in Seattle (specific location
> TBD) on Thursday, December 9th, 2019*
>
> Attendees
>
> *Adam Hampton, SailpointBrian Rose, SailpointDarin McAdams, AmazonErik
> Gustavson, GoogleGokul Baskaran, TargetMatt Domsch, SailpointWesley
> Dunnington, PingZhen Chien Chia, Microsoft*Agenda
>
>
> * - Date for in-person (https://rallly.co/BJpRUlS5B
> <https://rallly.co/BJpRUlS5B>)- Thursday, Dec 12th in Seattle area-
> Location TBD- Should the SCIM schema and authorization profiles be defined
> in the metadata?- Darin: one constraint is that there is no trust between
> the 2 starting parties. Providers might not have metadata urls or not want
> them public. Purpose of metadata in FastFed is put just enough info to
> allow providers to decide if they can play together.- Brian: FastFed
> metadata can hand back the bearer token which could get used to allow the
> underlying protocols to discover each other.- Darin: AWS, for example,
> might have different URLs for metadata (per tenant)- Erik: Basic question
> is after initial FastFed handshake, what if the provider (either side)
> wants to update something in the underlying protocols (SSO, SCIM)- Matt &
> Brian: What happens if the FastFed service and underlying SCIM or SAML
> service gets out of sync in terms of capabilities- Darin: AI to think about
> this use case in the context of updates and retries discussion- Matt:
> duplication is ok -- intentional - Java spring does not support the
> RFC-7523 we need- What other implementations exist already?- Darin:
> Salesforce implements this-
> https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5
> <https://help.salesforce.com/articleView?id=remoteaccess_oauth_jwt_flow.htm&type=5>-
> https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_server_flow.htm&type=5
> <https://help.salesforce.com/articleView?id=remoteaccess_oauth_web_server_flow.htm&type=5>-
> Atlassian, Apigee as well- Ping does- Brian: The example JSON in Section
> 2.2 shows OIDC as an available authentication profile. In Section 6.6, what
> would this look like if the handshake is using OIDC instead of SAML?-
> Darin: not sure as we punted on OIDC for now given questions about how it
> would work.- Brian: Would we take the references out of the spec?-
> Darin/Erik: let’s narrow now and bring it back in if we get consensus- For
> in person (Dec 9) meeting- duplicates, updates, retries*Next Call
>
>    -
>
>    Nov 20th, 2019
>    -
>
>    Hangout: https://meet.google.com/wht-tipi-uoa
>    -
>
>    Phone: ‪+1 832-509-0551 <(832)%20509-0551>‬ PIN: ‪164241‬#
>
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191106/dd3fcd35/attachment-0001.html>