<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Calibri Light";
panose-1:2 15 3 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
h2
{mso-style-priority:9;
mso-style-link:"Heading 2 Char";
margin-top:2.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:105%;
page-break-after:avoid;
font-size:13.0pt;
font-family:"Calibri Light",sans-serif;
color:#2F5496;
font-weight:normal;}
h3
{mso-style-priority:9;
mso-style-link:"Heading 3 Char";
margin-top:2.0pt;
margin-right:0in;
margin-bottom:0in;
margin-left:0in;
margin-bottom:.0001pt;
line-height:105%;
page-break-after:avoid;
font-size:12.0pt;
font-family:"Calibri Light",sans-serif;
color:#1F3763;
font-weight:normal;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph
{mso-style-priority:34;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast
{mso-style-priority:34;
mso-style-type:export-only;
margin-top:0in;
margin-right:0in;
margin-bottom:8.0pt;
margin-left:.5in;
mso-add-space:auto;
line-height:105%;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.Heading2Char
{mso-style-name:"Heading 2 Char";
mso-style-priority:9;
mso-style-link:"Heading 2";
font-family:"Calibri Light",sans-serif;
color:#2F5496;}
span.Heading3Char
{mso-style-name:"Heading 3 Char";
mso-style-priority:9;
mso-style-link:"Heading 3";
font-family:"Calibri Light",sans-serif;
color:#1F3763;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle21
{mso-style-type:personal;
font-family:"Calibri",sans-serif;
color:windowtext;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:569197192;
mso-list-type:hybrid;
mso-list-template-ids:416548318 1336974116 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;}
@list l0:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;
mso-fareast-font-family:Calibri;
mso-bidi-font-family:"Times New Roman";}
@list l0:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level3
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level5
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level6
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l0:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Symbol;}
@list l0:level8
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:"Courier New";}
@list l0:level9
{mso-level-number-format:bullet;
mso-level-text:\F0A7;
mso-level-tab-stop:none;
mso-level-number-position:left;
text-indent:-.25in;
font-family:Wingdings;}
@list l1
{mso-list-id:602568704;
mso-list-template-ids:-889313404;}
@list l1:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level2
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l1:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2
{mso-list-id:810680381;
mso-list-template-ids:-1315158568;}
@list l2:level1
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level2
{mso-level-number-format:bullet;
mso-level-text:o;
mso-level-tab-stop:1.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:"Courier New";
mso-bidi-font-family:"Times New Roman";}
@list l2:level3
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:1.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level4
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level5
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:2.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level6
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level7
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:3.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level8
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.0in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
@list l2:level9
{mso-level-number-format:bullet;
mso-level-text:\F0B7;
mso-level-tab-stop:4.5in;
mso-level-number-position:left;
text-indent:-.25in;
mso-ansi-font-size:10.0pt;
font-family:Symbol;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1027" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="#0563C1" vlink="#954F72">
<div class="WordSection1">
<p class="MsoNormal">Slides from my IIW discussion are available here. Notes will come out in the proceedings.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><a href="https://domsch.com/IIW28/FastFed-Governance-IIW28.pdf" target="_blank">https://domsch.com/IIW28/FastFed-Governance-IIW28.pdf</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Matt Domsch</span></b><span style="font-family:"Arial",sans-serif"><br>
</span><i><span style="font-size:9.0pt;font-family:"Arial",sans-serif">VP, Lead Corporate Architect</span></i><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><br>
<span style="color:#00B5E2"><a href="mailto:matt.domsch@sailpoint.com"><span style="color:#00B5E2">matt.domsch@sailpoint.com</span></a><o:p></o:p></span></span></p>
<p class="MsoNormal"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:black">mobile: 512-981-6486</span><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#00B5E2">
</span><span style="font-family:"Arial",sans-serif"><br>
</span><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#00B5E2"><a href="http://www.sailpoint.com/"><span style="color:#00B5E2">www.sailpoint.com</span></a></span></b><o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Matt Domsch <br>
<b>Sent:</b> Monday, April 22, 2019 3:54 PM<br>
<b>To:</b> openid-specs-fastfed@lists.openid.net<br>
<b>Subject:</b> New member, IDP & Governance thoughts<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Greetings. I’m a new member of the FastFed WG, though I’ve been following along for several weeks and have been very pleased with both the concept and specifications the team has developed. I look forward to meeting people at IIW and/or
Identiverse in the coming weeks, and participating in the WG.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">In thinking about user provisioning, deprovisioning, updating, and permission assignment, I believe there is an opportunity to include identity governance concepts within FastFed more fully.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">FastFed expects that governance is done by the Identity Provider. Governance includes:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
Provisioning and de-provisioning accounts from IDPs into Applications<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
Informing Applications when user attributes change in the IDP<o:p></o:p></li><li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
Assigning permissions within the Application based on IDP-known information<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">The challenge is that many traditional Identity Providers do not provide these functions today, or do so sub-optimally. An IDP may know the groups to which someone is a member, but it knows nothing about:<o:p></o:p></p>
<ul style="margin-top:0in" type="disc">
<li class="MsoListParagraphCxSpFirst" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
Which users within an IDP should have an account in the Application?<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level2 lfo3">
Not every employee, temporary employee, contractor, or service account should have an account in every Application.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level2 lfo3">
This is traditionally handled by assigning group membership, and communicating that group membership to the Application somehow, e.g. a SAML attribute of “application_X_user_allowed”, used for just-in-time account provisioning at the application.<o:p></o:p></li></ul>
<li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
Which permissions within the target service should an individual account be granted?<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level2 lfo3">
Every application defines their own role and permission structure. Within an IDP, these are often modeled as groups. You wind up with an explosion of IDP groups if you try to manage all the user permissions as merely group membership.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level2 lfo3">
Inherited permissions require well-defined, nested groups, and don’t easily allow for exceptions.<o:p></o:p></li></ul>
<li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
Does an individual require approval, by a manager or the application administrator, for requests to use the application?<o:p></o:p></li><ul style="margin-top:0in" type="circle">
<li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level2 lfo3">
Few IDPs have their own service desk with request and approval workflows.<o:p></o:p></li><li class="MsoListParagraphCxSpMiddle" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level2 lfo3">
Requests for updated permissions (e.g. moving from a read-only to a read/write permission) may require review and approval.<o:p></o:p></li></ul>
<li class="MsoListParagraphCxSpLast" style="margin-left:0in;mso-add-space:auto;mso-list:l0 level1 lfo3">
FastFed Scenario #3, wherein a user may need access to applications before employment begins and their corporate IDP account is active, or after they leave employment and their IDP account is deactivated, is difficult to accomplish solely from an IDPs perspective.<o:p></o:p></li></ul>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Furthermore, when IDPs do project permissions, via group memberships, via SAML attributes or OIDC claims, the previous set of permissions remain valid for the lifetime of the claim token, and may require a user to log out and back in again
to obtain a new access token (unless the IDP can force a token refresh asynchronous to the token lifetime). This also requires a 1:1 mapping of SAML attributes or OIDC claims to application permissions, and ongoing coordination between the two configurations
as Application permission models are enhanced.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">End-user administrators also want to establish governance when initially onboarding a new application, whenever possible, so as to have less to clean up after the ungoverned application has been in use for a while.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">An Identity Governance service would be in the perfect position to address these scenarios, and to perform the actions necessary to configure the Application for each user’s specific policy-defined access.<o:p></o:p></p>
<p class="MsoNormal">By splitting the FastFed concept of Identity Provider into two parts, the Identity Provider and the Governance Provider, we can allow a richer governance experience in the application, backed by well-defined corporate policy, and with no
loss of functionality. Identity Providers that also serve as the Governance Provider can continue to operate as a single system without change. Splitting the concepts just allows for two separate products to be used for the Identity Provider and Governance
Provider functions. Any data synchronization needed between the Identity Provider and Governance Provider can be orchestrated by them pairwise, as is already common, using SCIM or the IDPs native API.<o:p></o:p></p>
<p class="MsoNormal">For purposes of governing the Application, including provisioning and deprovisioning of accounts, and updating account entitlements, the Governance Provider would be a registered OIDC client in the Identity Provider, with its own client
credentials, able to make IDP-authenticated SCIM calls to the Application Provider, close in time as each user’s attributes change.
<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Thoughts?<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><!--[if gte vml 1]><o:wrapblock><v:shapetype id="_x0000_t75" coordsize="21600,21600" o:spt="75" o:preferrelative="t" path="m@4@5l@4@11@9@11@9@5xe" filled="f" stroked="f">
<v:stroke joinstyle="miter" />
<v:formulas>
<v:f eqn="if lineDrawn pixelLineWidth 0" />
<v:f eqn="sum @0 1 0" />
<v:f eqn="sum 0 0 @1" />
<v:f eqn="prod @2 1 2" />
<v:f eqn="prod @3 21600 pixelWidth" />
<v:f eqn="prod @3 21600 pixelHeight" />
<v:f eqn="sum @0 0 1" />
<v:f eqn="prod @6 1 2" />
<v:f eqn="prod @7 21600 pixelWidth" />
<v:f eqn="sum @8 21600 0" />
<v:f eqn="prod @7 21600 pixelHeight" />
<v:f eqn="sum @10 21600 0" />
</v:formulas>
<v:path o:extrusionok="f" gradientshapeok="t" o:connecttype="rect" />
<o:lock v:ext="edit" aspectratio="t" />
</v:shapetype><v:shape id="_x0000_s1026" type="#_x0000_t75" style='position:absolute;margin-left:-6pt;margin-top:-304.95pt;width:500.4pt;height:304.8pt;z-index:251658240;visibility:visible;mso-width-percent:0;mso-height-percent:0;mso-wrap-distance-left:9pt;mso-wrap-distance-top:0;mso-wrap-distance-right:9pt;mso-wrap-distance-bottom:0;mso-position-horizontal:absolute;mso-position-horizontal-relative:text;mso-position-vertical:absolute;mso-position-vertical-relative:text;mso-width-percent:0;mso-height-percent:0;mso-width-relative:page;mso-height-relative:page'>
<v:imagedata src="cid:image002.emz@01D5011C.D83B3A90" o:title="" />
<w:wrap type="topAndBottom"/>
</v:shape><![endif]--><![if !vml]><span style="mso-ignore:vglayout;position:relative;z-index:251658240;left:-1px;top:0px;width:1334px;height:813px"><img width="667" height="407" style="width:6.9479in;height:4.2343in" src="cid:image004.png@01D5011C.D83B3A90" v:shapes="_x0000_s1026"></span><![endif]><!--[if gte vml 1]></o:wrapblock><![endif]--><br style="mso-ignore:vglayout" clear="ALL">
Thanks,<br>
Matt<o:p></o:p></p>
<p class="MsoNormal"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Matt Domsch</span></b><span style="font-family:"Arial",sans-serif"><br>
</span><i><span style="font-size:9.0pt;font-family:"Arial",sans-serif">VP, Lead Corporate Architect</span></i><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><br>
</span><a href="https://www.sailpoint.com/"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:blue;text-decoration:none"><img border="0" width="170" height="41" style="width:1.7708in;height:.427in" id="_x0000_i1025" src="file:///C:/Users/matt.domsch/AppData/Roaming/Microsoft/Signatures/170x41-Images-Get-N9791-s4.png"></span></a><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><br>
<span style="color:#00B5E2"><a href="mailto:matt.domsch@sailpoint.com"><span style="color:#00B5E2">matt.domsch@sailpoint.com</span></a><br>
</span><span style="color:black">mobile: 512-981-6486</span><span style="color:#00B5E2">
</span><br>
<span style="color:#00B5E2"><a href="https://www.sailpoint.com/company/careers/"><span style="color:#00B5E2">Join the #SailPointCrew</span></a></span></span><br>
<a href="https://www.sailpoint.com/"><span style="color:blue;text-decoration:none"><img border="0" width="500" height="120" style="width:5.2083in;height:1.25in" id="_x0000_i1026" src="file:///C:/Users/matt.domsch/AppData/Roaming/Microsoft/Signatures/500x120-Images-Get-N9791-s3.png" alt="The Power of Identity - SailPoint Email Signature"></span></a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</body>
</html>