<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Title" content="">
<meta name="Keywords" content="">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Courier New";
panose-1:2 7 3 9 2 2 5 2 4 4;}
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:Calibri;}
span.EmailStyle18
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle19
{mso-style-type:personal;
font-family:Calibri;
color:windowtext;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:Calibri;
color:windowtext;}
span.msoIns
{mso-style-type:export-only;
mso-style-name:"";
text-decoration:underline;
color:teal;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:11300482;
mso-list-type:hybrid;
mso-list-template-ids:-2007194056 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:1313945227;
mso-list-type:hybrid;
mso-list-template-ids:1910664786 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2
{mso-list-id:1319967602;
mso-list-type:hybrid;
mso-list-template-ids:426403322 67698689 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style>
</head>
<body bgcolor="white" lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks for the nudge : )<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Below is a summary of the problem statement as far as I understand it. If anyone believes it to be wildly off-course or wants to suggest additional angles to consider, send them along!<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-Darin<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">-------------------------------------------<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Today, setting up a federation is harder than it should be. Typical instructions are full of Identity terminology that can be off-putting to novice users. Executing the instructions requires an administrator
to open multiple browser windows for both the service and identity providers and copy-and-paste values between the two parties. Being human, mistakes inevitably happen; steps are missed, typos occur. As a result, something that could theoretically be accomplished
in a few minutes ends up taking days, with the administrator experiencing a frustrating sequence of unexpected failures and confusing error messages.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">As a result of the friction, federation is used less often than it could be. Many service providers are seeing very low adoption rates for federation, with the vast majority of users choosing to create yet-another
username/password for the service.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">By making federation easier, we hope three problems can be addressed.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">First, the security implications of passwords are well-understood by the Identity community. By reducing the barriers to federation, it is desired to further reduce the proliferation of passwords and continue
making the Internet more secure.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Second, when enterprise employees create yet-another username/password for SaaS applications used on the job, the shadow IT footprint increases. Enterprises cannot audit activity nor automatically clean up
resources when an employee leaves. By making federation easier to configure (or self-service by non-technical employees?), the shadow IT footprint can be reduced.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Finally, there is pain for IDaaS providers who vend pre-configured catalogues of SaaS applications in order to minimize the federation setup costs. Because of the manual effort and lack of consistency between
SaaS application configurations, each catalog entry can become a bespoke implementation. This increases the cost of implementation for IDaaS providers and slows the addition of new apps into the catalog.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">To address these problems, FastFed seeks to minimize the number of manual steps to setup a federation.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">An easy place to begin is the multi-step process in which administrators copy-and-paste configurations between the service and identity providers. Humans are a lossy, error-prone data bus. Rather than relying
on humans to copy data, it would be preferable to point the two systems at each other and let the computers consume each other’s information. At its simplest, this could take the form of a 3 line metadata file containing the federation protocol (e.g. SAML,
OIDC), a location for the configuration (e.g. SAML Metadata, OIDC Discovery docs), and a location for keys (e.g. SAML certificates). If the relevant parties hosted this information at a URL, an administrator only needs to give one party’s URL to the other
and allow the computers do the remainder of the work.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Once this communication channel is established, additional opportunities present themselves. While these are less well-defined, the group may also consider the following:<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">* Certificate rotations<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">* SCIM configurations<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">* A catalog to make it easier to discover service and identity providers using plain-language names, rather than URLs.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">* Advertising service capabilities (e.g. what types of resources and actions are provided by the service?). For example, is there an opportunity to help administrators setup federation via an experience that
asks in plain non-technical language: “Here are a bunch of things your users could potentially do... Check boxes for what is allowed.”<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Nothing is free, and this approach will require changes by existing service providers in order to support FastFed. At its simplest, this effort would involve simply hosting another metadata document. In more
complex cases, the service provider may need to simplify their onboarding experience and become more consistent in order to become “FastFed Compliant”. If service providers reap benefits by being more easily discoverable and usable in IdP and IDaaS catalogs,
it will help motivate these investments. New services, of course, should ideally see value in being FastFed compliant on day one.
<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt">The measurement of success for this standard is not whether federation setup becomes free, but whether it becomes
<i>easier</i> than undesirable alternatives such as password authentication. Through the ecosystem of standards and toolkits, the goal is for federation to become the easiest choice.<o:p></o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<p class="MsoNormal"><span style="font-size:11.0pt"><o:p> </o:p></span></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Emily Xu <exu@vmware.com><br>
<b>Date: </b>Wednesday, March 15, 2017 at 3:32 PM<br>
<b>To: </b>"McAdams, Darin" <darinm@amazon.com>, "openid-specs-fastfed@lists.openid.net" <openid-specs-fastfed@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-fastfed] FastFed Meeting Notes, March 2 2017<o:p></o:p></span></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman""><o:p> </o:p></span></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">Hi Darin,</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">When do you think you can share “an overview of the problem statement and use cases”? Sorry for asking since I could not find it from anywhere else.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Thanks,<br>
Emily</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="color:black">From: </span></b><span style="color:black">Openid-specs-fastfed <openid-specs-fastfed-bounces@lists.openid.net> on behalf of "McAdams, Darin via Openid-specs-fastfed" <openid-specs-fastfed@lists.openid.net><br>
<b>Reply-To: </b>"McAdams, Darin" <darinm@amazon.com><br>
<b>Date: </b>Sunday, March 5, 2017 at 10:23 AM<br>
<b>To: </b>"openid-specs-fastfed@lists.openid.net" <openid-specs-fastfed@lists.openid.net><br>
<b>Subject: </b>[Openid-specs-fastfed] FastFed Meeting Notes, March 2 2017</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><span style="font-family:"Times New Roman""> </span><o:p></o:p></p>
</div>
<p class="MsoNormal"><span style="font-size:11.0pt">(Apologies if I get anyone’s name wrong. Was copying from the GoToMeeting usernames.)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Meeting opened with general discussion about next steps.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt">What problems are we trying solve?
</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt">Knowing which use cases are in/out would be helpful.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l2 level1 lfo2"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt">For newcomers, looking for information on the WG but what was found so far was a presentation (From IIW) and some meeting minutes. Are there more documents? (Dick: there aren’t today)</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Dick proposed writing a draft spec in order to drive the discussion forward. Suggested Darin McAdams to draft the first iteration. Asked for concerns; none raised.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">To confirm alignment, before writing the draft, Darin will share an overview of the problem statement and use cases. If there is contention on the direction, an earlier meeting will be scheduled on demand.
If no contention on the use cases, the draft will proceed and be published by April 14 to give time for members to review before next IIW.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">There was preliminary discussion about the scope of the draft.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo4"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt">Dick – start with metadata and sign on, getting data from idp to rpm, your basic setup. There will be a need for more advanced things around provisioning and stuff like that, but we shouldn’t let
that complexity block us from solving the SSO portion upfront. Once we get people along the path, we get continue to more things. But, lots of value in getting started down that path.</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l0 level1 lfo4"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt">Prateek – Enabling SSO is right and part of it. Let’s definitely get SSO out of the way. Make that a little lighter. Hoping for additional guidance and encouragement on provisioning flows. Not the
details, more of a model, pick choice A or choice B. Not opposed to knocking of SSO; we know that is relatively structured. But, a lot of the story at the next layer is “what is the information model that relates identities at both the endpoints and how that
gets exchanged to the extend it needs to be exchanged. That’s the part we find quite difficult. What we see happening is that people will pick up a whole bunch of stuff from OIDC, OAuth, slug of SCIM, shove it all together in interesting way, and then bring
it to us. Would be awesome if we could point them at a template that would be useful for them.</span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt"> </span><o:p></o:p></p>
<p class="MsoNormal"><span style="font-size:11.0pt">Who will be at IIW?</span><o:p></o:p></p>
<p class="MsoListParagraph" style="text-indent:-.25in;mso-list:l1 level1 lfo6"><![if !supportLists]><span style="font-family:Symbol"><span style="mso-list:Ignore">·<span style="font:7.0pt "Times New Roman"">
</span></span></span><![endif]><span style="font-size:11.0pt">Emily, Mortrza, Dick, Darin. (Apologies if I missed anyone)
</span><o:p></o:p></p>
</div>
</body>
</html>