<div dir="ltr">Good point. With large application providers there could be multiple in-flight Fastfed transactions. As you said the JWT that the identity provider send to the application provider for the registration request in 7.2.3.1 contains the IDP domain and the tenant ID of the application provider. So the most straightforward option would be to re-send the initial JWT to the finalization endpoint. Alternatively the IDP could generate a cut-down JWT with just the IDP domain and the tenant id.<div><br></div><div>Wes Dunnington</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Oct 10, 2019 at 2:12 PM Brian Rose via Openid-specs-fastfed <<a href="mailto:openid-specs-fastfed@lists.openid.net">openid-specs-fastfed@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div class="gmail-m_-2092222241533944815WordSection1">
<p class="MsoNormal">Hey all,<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">In my current POC implementation, I am attempting to set a flag to indicate that the full round trip has been completed in the finalization step. How does the Application Provider know the provider domain and the tenant id so that it can
verify that it has been previously whitelisted and update any associated data that the Application Provider might want to log? During the registration, the JWT contains all of the necessary information to do the look up. Also, as a result, is that this endpoint
is wide open.<u></u><u></u></p>
<p class="MsoNormal"><u></u> <u></u></p>
<p class="MsoNormal">Thanks!<u></u><u></u></p>
<p class="MsoNormal">Brian Rose<u></u><u></u></p>
<p class="MsoNormal">SailPoint<u></u><u></u></p>
</div>
</div>
_______________________________________________<br>
Openid-specs-fastfed mailing list<br>
<a href="mailto:Openid-specs-fastfed@lists.openid.net" target="_blank">Openid-specs-fastfed@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fastfed" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fastfed</a><br>
</blockquote></div><br clear="all"><div><br></div>-- <br><div dir="ltr" class="gmail_signature"><div dir="ltr"><div> <div style="padding:0px;margin:0px"> <table style="border-collapse:collapse;padding:0px;margin:0px"> <tbody><tr> <td style="width:113px"> <a href="https://www.pingidentity.com" target="_blank"></a><a href="https://www.pingidentity.com" target="_blank"><img alt="Ping Identity" src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/ping-logo.png"></a> </td> <td> <table> <tbody><tr> <td style="vertical-align:top"> <span style="color:rgb(230,29,60);display:inline-block;margin-bottom:3px;font-family:arial,helvetica,sans-serif;font-weight:bold;font-size:14px">Wesley Dunnington</span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px">Field CTO East Region</span> <br>508-254-5475<br> <span style="font-family:arial,helvetica,sans-serif;font-size:14px;display:inline-block;margin-bottom:3px"><a href="mailto:wesleydunnington@pingidentity.com" target="_blank">wesleydunnington@pingidentity.com</a></span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px"> </span> <br> <span style="color:rgb(0,0,0);display:inline-block;margin-bottom:2px;font-family:arial,helvetica,sans-serif;font-weight:normal;font-size:14px"> </span> </td> </tr> </tbody></table> </td> </tr> <tr> <td colspan="2"> <table style="border-collapse:collapse;border:none;margin:8px 0px 0px;width:100%"> <tbody><tr style="height:40px;border-top:1px solid rgb(211,211,211);border-bottom:1px solid rgb(211,211,211)"> <td style="font-family:arial,helvetica,sans-serif;font-size:14px;font-weight:bold;color:rgb(64,71,75)">Connect with us: </td> <td style="padding:4px 0px 0px 20px"> <a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" style="text-decoration:none;margin-right:16px" title="Ping on Glassdoor" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-glassdoor.png" style="border: none; margin: 0px;" alt="Glassdoor logo"></a> <a href="https://www.linkedin.com/company/21870" style="text-decoration:none;margin-right:16px" title="Ping on LinkedIn" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-linkedin.png" style="border: none; margin: 0px;" alt="LinkedIn logo"></a> <a href="https://twitter.com/pingidentity" style="text-decoration:none;margin-right:16px" title="Ping on Twitter" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-twitter.png" style="border: none; margin: 0px;" alt="twitter logo"></a> <a href="https://www.facebook.com/pingidentitypage" style="text-decoration:none;margin-right:16px" title="Ping on Facebook" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-facebook.png" style="border: none; margin: 0px;" alt="facebook logo"></a> <a href="https://www.youtube.com/user/PingIdentityTV" style="text-decoration:none;margin-right:16px" title="Ping on Youtube" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-youtube.png" style="border: none; margin: 0px 0px 3px;" alt="youtube logo"></a> <a href="https://www.pingidentity.com/en/blog.html" style="text-decoration:none;margin-right:16px" title="Ping Blog" target="_blank"><img src="https://www.pingidentity.com/content/dam/pic/images/misc/signature/social-blog.png" style="border: none; margin: 0px;" alt="Blog logo"></a> </td> </tr> </tbody></table> </td> </tr> </tbody></table><a href="https://www.google.com/url?q=https://www.pingidentity.com/content/dam/ping-6-2-assets/Assets/faqs/en/consumer-attitudes-post-breach-era-3375.pdf?id%3Db6322a80-f285-11e3-ac10-0800200c9a66&source=gmail&ust=1541693608526000&usg=AFQjCNGBl5cPHCUAVKGZ_NnpuFj5PHGSUQ" target="_blank"></a><a href="https://www.pingidentity.com/en/events/d/identify-2019.html" target="_blank"><img src="https://www.pingidentity.com/content/dam/ping-6-2-assets/images/misc/emailSignature/identify-email-image.png"></a> </div></div></div></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>