<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:"Segoe UI";
panose-1:2 11 6 4 2 2 2 2 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.msonormal0, li.msonormal0, div.msonormal0
{mso-style-name:msonormal;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple">
<div class="WordSection1">
<p class="MsoNormal">(Forwarding on behalf of Wes while awaiting permissions to the mailing list.)<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span style="font-size:12.0pt;color:black">From: </span></b><span style="font-size:12.0pt;color:black">Wesley Dunnington <wesleydunnington@pingidentity.com><br>
<b>Date: </b>Friday, October 18, 2019 at 1:29 PM<br>
<b>To: </b>Brian Rose <brian.rose@sailpoint.com><br>
<b>Cc: </b>"McAdams, Darin" <darinm@amazon.com>, Openid-specs-fastfed <openid-specs-fastfed@lists.openid.net><br>
<b>Subject: </b>Re: [Openid-specs-fastfed] Question about 7.2.4 (Handshake Finalization)<o:p></o:p></span></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"> As was mentioned, the JWT that the identity provider sent to the application provider for the registration request in 7.2.3.1 contains the IDP domain and the tenant ID of the application provider. The most straightforward option would
be to re-send the initial JWT to the finalization endpoint. Alternatively the IDP could generate a cut-down JWT with just the IDP domain and the tenant id.<o:p></o:p></p>
</div>
<div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">With regards to returning failure to the finalize URL, I had been of the opinion that since by that point the entire configuration had been agreed on by the IDP and Application provider, that the onus would be on the IDP to fix things and
roll forward if it had a problem, calling /finalize when it was able to do so. If the IDP returned failure at this point it would seem to me to indicate some sort of serious internal failure. If so I would imagine the logical course would be to declare the
entire federation in error and restart the entire handshake over.<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Wes Dunnington<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Wes Dunnington<o:p></o:p></p>
</div>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">On Fri, Oct 18, 2019 at 2:05 PM Brian Rose via Openid-specs-fastfed <<a href="mailto:openid-specs-fastfed@lists.openid.net">openid-specs-fastfed@lists.openid.net</a>> wrote:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Yes, that would be great. Would there be any other information returned in the payload? Or is it going to be just enough for the AP finalize call to know the issuer and tenant?
At an absolute minimum, “iss” and “sub” are what I would need. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Also, related to the payload, section 7.2.4 states “<span style="font-size:10.0pt;font-family:"Verdana",sans-serif;color:black">the Identity Provider MUST invoke this endpoint after
<b>successfully</b> processing…”. Should </span>the finalize endpoint ALWAYS get called, even if there is an error somewhere in the handshake? If so, it might be nice for it to have some error information so the AP knows that the IdP will no longer be attempting.
Or, after 48 hours (or whatever the retry span is), that it was ultimately unsuccessful and what the corresponding error was.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:10.0pt;font-family:"Arial",sans-serif">Brian Rose</span></b><span style="font-family:"Arial",sans-serif"><br>
</span><i><span style="font-size:9.0pt;font-family:"Arial",sans-serif">Staff Software Engineer</span></i><span style="font-size:9.0pt;font-family:"Arial",sans-serif"><br>
</span><a href="mailto:brian.rose@sailpoint.com" target="_blank"><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#00B5E2;text-decoration:none">brian.rose@sailpoint.com</span></a><span style="font-size:9.0pt;font-family:"Arial",sans-serif;color:#00B5E2">
</span><span style="font-family:"Arial",sans-serif"><br>
</span><a href="http://www.sailpoint.com" target="_blank"><b><span style="font-size:8.0pt;font-family:"Arial",sans-serif;color:#00B5E2;text-decoration:none">www.sailpoint.com</span></b></a><o:p></o:p></p>
</div>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> McAdams, Darin <<a href="mailto:darinm@amazon.com" target="_blank">darinm@amazon.com</a>>
<br>
<b>Sent:</b> Wednesday, October 16, 2019 6:19 PM<br>
<b>To:</b> Brian Rose <<a href="mailto:brian.rose@sailpoint.com" target="_blank">brian.rose@sailpoint.com</a>>;
<a href="mailto:openid-specs-fastfed@lists.openid.net" target="_blank">openid-specs-fastfed@lists.openid.net</a><br>
<b>Subject:</b> Re: [Openid-specs-fastfed] Question about 7.2.4 (Handshake Finalization)<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Good catch. Would it help if a signed JWT came along in this request as well?<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div style="border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b><span style="font-size:12.0pt;color:black">From:
</span></b><span style="font-size:12.0pt;color:black">Openid-specs-fastfed <</span><a href="mailto:openid-specs-fastfed-bounces@lists.openid.net" target="_blank"><span style="font-size:12.0pt">openid-specs-fastfed-bounces@lists.openid.net</span></a><span style="font-size:12.0pt;color:black">>
on behalf of Openid-specs-fastfed <</span><a href="mailto:openid-specs-fastfed@lists.openid.net" target="_blank"><span style="font-size:12.0pt">openid-specs-fastfed@lists.openid.net</span></a><span style="font-size:12.0pt;color:black">><br>
<b>Reply-To: </b>Brian Rose <</span><a href="mailto:brian.rose@sailpoint.com" target="_blank"><span style="font-size:12.0pt">brian.rose@sailpoint.com</span></a><span style="font-size:12.0pt;color:black">><br>
<b>Date: </b>Thursday, October 10, 2019 at 11:12 AM<br>
<b>To: </b>Openid-specs-fastfed <</span><a href="mailto:openid-specs-fastfed@lists.openid.net" target="_blank"><span style="font-size:12.0pt">openid-specs-fastfed@lists.openid.net</span></a><span style="font-size:12.0pt;color:black">><br>
<b>Subject: </b>[Openid-specs-fastfed] Question about 7.2.4 (Handshake Finalization)</span><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hey all,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">In my current POC implementation, I am attempting to set a flag to indicate that the full round trip has been completed in the finalization step. How does the Application Provider
know the provider domain and the tenant id so that it can verify that it has been previously whitelisted and update any associated data that the Application Provider might want to log? During the registration, the JWT contains all of the necessary information
to do the look up. Also, as a result, is that this endpoint is wide open.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thanks!<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Brian Rose<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">SailPoint<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-fastfed mailing list<br>
<a href="mailto:Openid-specs-fastfed@lists.openid.net" target="_blank">Openid-specs-fastfed@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-fastfed" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-fastfed</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<div>
<div>
<div>
<div>
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" style="border-collapse:collapse">
<tbody>
<tr>
<td width="113" style="width:84.75pt;padding:0in 0in 0in 0in">
<p class="MsoNormal"><a href="https://www.pingidentity.com/" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1032" src="cid:~WRD000.jpg" alt="Image removed by sender. Ping Identity"></span></span></a><o:p></o:p></p>
</td>
<td style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellpadding="0">
<tbody>
<tr>
<td valign="top" style="padding:.75pt .75pt .75pt .75pt">
<p class="MsoNormal"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#E61D3C">Wesley Dunnington</span></b>
<br>
<span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:black">Field CTO East Region</span>
<br>
508-254-5475<br>
<span style="font-size:10.5pt;font-family:"Arial",sans-serif"><a href="mailto:wesleydunnington@pingidentity.com" target="_blank">wesleydunnington@pingidentity.com</a></span>
<br>
<br>
<br>
<o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
<tr>
<td colspan="2" style="padding:0in 0in 0in 0in">
<table class="MsoNormalTable" border="0" cellspacing="0" cellpadding="0" width="100%" style="width:100.0%;border-collapse:collapse">
<tbody>
<tr style="height:30.0pt">
<td style="padding:.75pt .75pt .75pt .75pt;height:30.0pt">
<p class="MsoNormal" style="margin-top:6.0pt"><b><span style="font-size:10.5pt;font-family:"Arial",sans-serif;color:#40474B">Connect with us:
<o:p></o:p></span></b></p>
</td>
<td style="padding:3.0pt 0in 0in 15.0pt;height:30.0pt">
<p class="MsoNormal" style="margin-top:6.0pt"><a href="https://www.glassdoor.com/Overview/Working-at-Ping-Identity-EI_IE380907.11,24.htm" title=""Ping on Glassdoor" t "><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1031" src="cid:~WRD000.jpg" alt="Image removed by sender. Glassdoor logo"></span></span></a><a href="https://www.linkedin.com/company/21870" title=""Ping on LinkedIn" t "><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1030" src="cid:~WRD000.jpg" alt="Image removed by sender. LinkedIn logo"></span></span></a><a href="https://twitter.com/pingidentity" title=""Ping on Twitter" t "><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1029" src="cid:~WRD000.jpg" alt="Image removed by sender. twitter logo"></span></span></a><a href="https://www.facebook.com/pingidentitypage" title=""Ping on Facebook" t "><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1028" src="cid:~WRD000.jpg" alt="Image removed by sender. facebook logo"></span></span></a><a href="https://www.youtube.com/user/PingIdentityTV" title=""Ping on Youtube" t "><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1027" src="cid:~WRD000.jpg" alt="Image removed by sender. youtube logo"></span></span></a><a href="https://www.pingidentity.com/en/blog.html" title=""Ping Blog" t "><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1026" src="cid:~WRD000.jpg" alt="Image removed by sender. Blog logo"></span></span></a><o:p></o:p></p>
</td>
</tr>
</tbody>
</table>
</td>
</tr>
</tbody>
</table>
<p class="MsoNormal"><a href="https://www.pingidentity.com/en/events/d/identify-2019.html" target="_blank"><span style="color:windowtext;text-decoration:none"><span style="color:blue;border:solid windowtext 1.0pt;padding:0in"><img border="0" id="_x0000_i1025" src="cid:~WRD000.jpg" alt="Image removed by sender."></span></span></a><o:p></o:p></p>
</div>
</div>
</div>
</div>
<p class="MsoNormal"><br>
<b><i><span style="font-size:10.0pt;font-family:"Segoe UI";color:#555555;border:none windowtext 1.0pt;padding:0in">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review,
use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</span></i></b>
<o:p></o:p></p>
</div>
</body>
</html>