[Openid-specs-ipsie] 2024-11-12 Meeting Minutes

Wed Nov 13 00:12:17 UTC 2024

Below are the notes from today's working group meeting. I've also posted
the meeting minutes to GitHub:
https://github.com/openid/ipsie/wiki/2024%E2%80%9011%E2%80%9012

Action items:

* Everyone: What outcomes are important to you and your organization or
customers? Use Slack or GitHub (https://github.com/openid/ipsie/issues/2)
or bring notes to discuss during the next meeting
* Karl volunteered to start brainstorming a framework for levels
* Dean volunteered to suggest topics for focused "special topics" WG
meetings

---

## Attendees

* Aaron Parecki (Okta)
* Jon Bartlett (Zscaler)
* Sean Miller (RSA)
* Kenn Chong (RSA)
* Abhinav Lele (Shopify)
* Tom Clancy (MITRE)
* Dean H. Saxe (Beyond Identity)
* Karl McGuinness (self)
* Dros Adamson (Cisco)
* Fletcher Heisler (Authentik Security)
* George Fletcher (Capital One)
* Mike Jones (Self-Issued Consulting)
* Mike Kiser (SailPoint)
* Wesley Dunnington (Ping Identity)
* Filip Skokan (Okta)
* Erik Gomez (JGSW)
* Travis Tripp (Hewlett-Packard Enterprise)
* Neeraj Jangid (Workday)
* Mark Maguire (Aujas Cybersecurity)

## Agenda

- Welcome and antitrust policy reminder
- WG chair selection
- Overview of IPSIE charter
- Defining milestones
- Special topics
- Review iGov Profile for OpenID Connect
https://openid.net/specs/openid-igov-openid-connect-1_0.html
https://bitbucket.org/openid/igov/src/master/
- Schedule of upcoming meetings

## Minutes
* Chair selection: working group voted to add Dean H. Saxe as a co-chair.
The Working Group Chairs are now Aaron Parecki and Dean H. Saxe
* Request a Slack invite to OIDF Slack from Mike Leszcz <
mike.leszcz at oidf.org>
* Review of IPSIE Charter: https://openid.net/wg/ipsie/ipsie-charter/
    * Should SAML be included in scope?
        * At least harmonizing authentication contexts between OIDC and
SAML? https://github.com/pamelatech/ACRminprofile
        * Configuration changes to existing SAML deployments are easier
compared to adopting a whole new profile of SAML
        * Lack of PQCS for SAML, likely no post-quantum work should be
expected since the SAML WG has shut down
        * Switching to OIDC for SaaS providers can be a heavy lift
        * Possible compromise with adding to SAML and OIDC ~ base
functionality level in SAML, Advanced
* Discussion of IPSIE levels in OIDC and others
    * Karl McGuinness volunteered to create a framework of levels
* FastFed shared goals? (There was a lack of interest in FastFed from Cloud
providers)
* Start with use cases ~ MFA is popular
    * Use cases: (1) MFA, (2) AAL2 authentication of an IAL2 user (3)
global logout
* Concrete milestones to keep in mind
    * We would like to get to a point where there is an IPSIE certification
suite
    * Interoperability Events are a useful mechanism
* Deep dive on use cases, creating separate special topic meetings or sub
groups (task force) that report back to the main group
* iGov review:
    * Use iGov OIDC profile as a template for IPSIE (some changes will be
needed for IPSIE)
    * An opportunity to create cross spec interoperability across profiles
/ protocols
    * A simple Actor diagram defining the context that IPSIE is looking to
address could also be helpful
    * Maybe a specific OpenID pov: If we can have a common way for a client
to understand the mfa specific nuances that are split between different
things like amr acr aal (authentication methods reference, authencation
class reference, authenticator assurance level)
    * And same thing for other issues between standard
* Karl - focus on the top level frame and taxonomy before diving into the
specific profiles
* Consider separating the technical profile of the protocol from the
semantic profile for claim values. Much of the cross-protocol functionality
will be captured within the semantic profile. Ex: amrs, sub, scopes, etc
* Volunteers and interest in special topics? Shared Signals, SCIM, OAuth,
FAPI, OIDC
* Enterprise developer audience, what are the outcomes and capabilities,
mapping security controls to levels ~ survey on outcomes from the group

* Homework: What outcomes are important to you and your organization or
customers? Use Slack or github or discuss on next meeting

https://github.com/openid/ipsie

Brainstorming outcomes for IPSIE
https://github.com/openid/ipsie/issues/2

Meeting schedule modified for upcoming holidays: no calls on Dec 24 or 31

Aaron Parecki

Director of Identity Standards

aaron.parecki at okta.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20241112/e8e2c47b/attachment.htm>