[Openid-specs-fastfed] Webfinger question
Brian Rose
brian.rose at sailpoint.com
Tue Dec 17 20:02:38 UTC 2019
Hey all,
When using Webfinger discovery, the current spec seems to assume only one provider type. If I am Alice and I am setting up SSO and provisioning, these most likely will be two different providers. For instance, Ping for the IdP and SailPoint for the SCIM client. Since there is only one FastFed "rel" tag unique namespace, discovery will return "hrefs" to two unrelated FastFed metadata endpoints. At that point, the application might ask Alice for the "href" that she wants to use (even though at this time, she knows she wants to use FastFed to set up a SailPoint). If she wants to use Ping as the IdP but SailPoint ALSO has an IdP and she chooses the "href" that points to SailPoint, her current Ping IdP could be overwritten by SailPoint's IdP. She will be asked to consent, which is some protection, but is this how you see it all working?
Should there maybe be a "/scim" added to the rel tag for the provisioning endpoints?
Thanks,
Brian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20191217/4ba6c6bb/attachment.html>
More information about the Openid-specs-fastfed
mailing list