[Openid-specs-fastfed] Meeting Notes from November 20, 2019

Erik Gustavson erikgustavson at google.com
Wed Nov 20 17:05:12 UTC 2019


*Next meeting: In-person on Thursday, December 12, 2019 in Seattle Area.
Location to be announced later this week.*
Nov 20, 2019Attendees

   -

   Brian Rose, Sailpoint
   -

   Erik Gustavson, Google
   -

   Gokul Baskaran, Target
   -

   Pam Dingle, Microsoft
   -

   Wesley Dunnington, Ping
   -

   Zhen Chien Chia, Microsoft

Agenda

   -

   (Brian) Questions about SCIM provisioning
   -

      On SSO app provider is client, IdP is server. IdP hosts start
      endpoint, etc... app provider kicks off process.
      -

      In the governance case, the governance provider is acting as the
      client
      -

      Spec is symmetrical around exchange of oauth tokens but in the
      provisioning/governance case, the app provider would send the tokens and
      subsequently act as the SCIM server.
      -

      Topic to discuss at in-person meeting -- coming up with an example
      sequence of calls for various scenarios would be useful for implementers.
      -

   (Zhen) SCIM questions
   -

      How client is going to figure out what attributes are required based
      on the SCIM payload
      -

      Seeing examples in the wild were apps require optional attributes or
      don’t implement required attributes from the advertised SCIM schema
      -

      (Erik) Intention is advertise up-front what is needed before trying
      to make calls later that might fail
      -

      (Pam) we need to be careful about how we bind scim metadata into the
      fastfed spec
      -

      (Wes) we wanted this to be symmetrical wrt to SAML and SCIM
      -

      Need to normalize language in 2.5.1 (“must” vs “will”)
      -

         Additionally in 2.5.2 what happens if providers do not agree on
         the filters for required fields? I.e. App Provider requires
“middle name”
         and IdP/governance provider only has that as optional.
         -

   (Gokul)
   -

      How do we exchange message level encryption keys for SAML/SCIM where
      sensitive attributes are being passed around?
      -

      Is this in scope for FastFed? If not, we should specify that.
      -

      Symmetry of SCIM/SAML attribute passing argues that we should have an
      opinion on this
      -

   (Erik) Anything we want to focus on for in-person
   -

      Update flows
      -

      Canonical examples of SCIM schemas
      -

      OIDC profile
      -

      Implementation guides
      -

      Message-level encryption support
      -

   AI for Erik: determine where in-person meeting will be held
   -

      Pam has offered MSFT in Redmond; Erik will follow-up off-list with
      Darin and Pam.



-- 

Erik Gustavson

erikgustavson at google.com

Engineering Manager - Apps Core

415-736-3425 <(415)%20736-3425>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191120/1064739e/attachment.html>


More information about the Openid-specs-fastfed mailing list