[Openid-specs-ipsie] 2024-10-08 meeting minutes

[Aaron Parecki]

Thanks everyone for joining the first IPSIE working group meeting today and
for the productive discussion! Meeting minutes are attached.

As discussed on the call, next week's meeting conflicts with a number of
related events, so we decided to cancel it and will meet next on October
22. Thanks!

Aaron Parecki

Director of Identity Standards

aaron.parecki at okta.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20241008/e1436dd8/attachment.html>
-------------- next part --------------
Attendees

- Aaron Parecki (Okta)
- Mike Leszcz (OIDF)
- Dean H Saxe (Beyond Identity)
- Karl McGuinness
- Mike Kiser (Sailpoint)
- Joseph Heenan (Authlete)

Notes

- Mike L introduced the antitrust statement
- Aaron introduced the charter and problem statement
- Dean - should we put together specific enterprise use cases to solve and figure out how to plug the piece together?
- Aaron - agreed, but worried about deep diving too far on use cases
- Karl - what are the outcomes we are trying to define? “enterprise” isn’t detailed enough, but also worried about analysis paralysis
- Aaron - focus on secure by default and interoperability
- Dean - been seeing a lot of WS-Fed even with SaaS
- Karl - I’d advocate to not go down that route because MS IdP does support OIDC
- Karl - enterprise outcome is strong multifactor authentication to all my applications. so if the application is using SAML, how do I ensure that and how do I do step-up in SAML.
- Dean - how do we get to parity between SAML and OIDC so we can communicate the same message about the authentication strength - those are clear good outcomes for enterprises
- Dean - Properties of the authenticators - whether credential can be shared or not shared, phishing resistant
- Karl - is this different from the attributes defined in NIST?
- Dean - NIST hasn't defined a way to communicate the specific properties looking for and what was used. Will present about this at Authenticate next week with Pam.
- Step-up outcomes that Pam has been working on with SAML, maybe can continue that work here
- Karl - how to consistently layer OIDC configurations on top of SAML integrations - to avoid needing to require upgrading SAML to OIDC for SSO
- Aaron - also handling differences with user identifiers between SAML and OIDC
- Dean - we should take a pointed stance on what user identifiers should be to minimize bad outcomes, e.g. avoiding email address as identifiers
- Karl - it's an account linking problem, when a SaaS app goes from self service signup to linked to the enterprise IdP. apps have to implement logic to solve this, so usually fall back to email
- Mike K - how to interweave shared signals and SCIM events
- Karl - the broader goal is keeping things up to date, the menu of options available is too large at the moment
- Dean - timeliness is a challenge
- Dean - how does FedCM play into this? 
- Karl - "how does a user who shows up at a SaaS app log in with their enterprise IdP by default instead of email reg / shadow IT by default"
- Aaron - how do we get more SaaS vendors in the conversations?
- Aaron - next meeting is during Authenticate and Oktane, so next meeting will be Oct 22

## Brainstorming Outcomes

* Secure by default
    * Ensure hardware-backed phishing-resistant MFA is enforced into apps
    * ensure every account has MFA enabled
    * define the interoperability of authenticator attributes
    * Secure configuration of IdP and RP
    * Enable automated credential rotation
    * Step-up authentication - including what that looks like for SAML
    * "how does a user who shows up at a SaaS app log in with their enterprise IdP by default instead of email reg / shadow IT by default"
* Zero trust
    * Continuous authentication
* Zero standing privilege - capability to know that privileges are managed, not unknown and unmanaged
* Minimizing optionality for interoperability goals
* Stretch goal - configuration of these integrations (like FastFed?)