[Openid-specs-ipsie] IPSIE WG Meeting Minutes

Aaron Parecki aaron.parecki at okta.com
Mon Mar 3 21:12:19 UTC 2025 

Hi all, sorry for the delay in posting the minutes from the call last week.
I was busy having some great discussions at the OAuth Security Workshop
with many of you! The full minutes are below, as well as posted on GitHub.

https://github.com/openid/ipsie/wiki

To summarize, we completed reviewing the initial definition of the
levels and ended up with SL1/SL2/SL3 and IL1/IL2/IL3. The JIT concept has
been removed from the provisioning lifecycle track as discussed, so the
Identity Lifecycle levels focus now on create/update/delete of users,
groups and roles. This has now been merged and you can see the current
definition of levels here:
https://github.com/openid/ipsie/blob/main/ipsie-levels.md

The next steps are to start defining how to achieve level SL1 and IL1 with
concrete protocol definitions, as well as decide at which levels we are
aiming to achieve interop for the Gartner event in December. That is likely
deciding between demonstrating interop at just SL1, or whether to try to
define and achieve both SL1 and IL1.

I've also posted some notes about the upcoming call schedule on the GitHub
wiki page. There will be no call on March 18th since that is IETF week.
I'll be out of town the week before and after, so Dean will be chairing
those calls.

Talk to you tomorrow!


---

# IPSIE WG Meeting Minutes
Date: 2025-02-25

## Attendees
- Aaron Parecki (Okta)
- Dean H. Saxe (Beyond Identity)
- Travis Tripp (HPE)
- Hannah Sutor (GitLab)
- Dick Hardt (Hellō)
- Mike Kiser (SailPoint)
- Frederico Valente (Workday)
- Shannon Roddy (self)
- Nagesh Gummadivalli (Workday)
- Russell ALlen (self)
- Gennady Shulman (self)
- Wesley Dunnington (Ping)
- Ameya Hanamsagar (Meta)

## Agenda

- Welcome and antitrust policy reminder
- OpenID Contributor Agreement reminder
https://openid.net/intellectual-property
- Reminder about OpenID Slack
- Review Entitlement Management real-world examples
    - https://github.com/openid/ipsie/issues/51
    - Is there something apps can do to make it easier for the enterprise
customer to manage permissions in the app?
    - Is there enough in common with real-world examples to standardize
this today? Or should we push this out until later?



Notetaker: Dean H. Saxe (Beyond Identity)


## Minutes

- Antitrust policy reminder
- Last week we left off talking about the entitlement management levels
    - Dick sent a PR, Aaron has a PR, both based on feedback last week
        - Dick - if IL1 is JIT, can IL2 be supportable if we're not
supporting JIT
        - so this doesn't align well
        - Dick suggests JIT is not a part of the lifecycle, therefore,
maybe we start with user sync and not JIT
        - Aaron - what clicked was the SSO is the session lifecycle track &
a requirement.  JIT was described as a part of the SSO process.  This is
not an interop issue.  No interop question on JIT provisioning.  Remove
JIT, no changes to SSO.  App behavior if a user is not already created is
undefined - so it's no change from current state.
        - Travis: Omitting it completely could be odd.  JIT is still a part
of the lifecycle, sometimes there are timing issues that use JIT.
Provisioning in the background can take longer than the timeline for a user
to SSO into a system, creating a race condition.  JIT is not managing the
lifecycle - you created an immortal entity.
        - Aaron: makes sense.  One option, make JIT creation an option of
SSO.  This removes it from provisioning.
        - Dick: Another way, this is an alt mechanism for provisioning.
IL1 could be JIT, but JIT is not required.
        - Travis: could create by JIT, but must be managed as part of IL*
        - MikeK: IL1 is create?
        - Aaron: We don't want a system that is only doing preprovisioning
not being compliant with the provisioning track
        - Mark: IL is IGA, JIT is provisioning. Need to manage the
lifecycle,
        - Aaron: Move JIT to SL*, products that don't support provisioning
don't have any concerns with this.
        - Dick: If we don't add JIT, everyone will ask where it is. Create
synchronously or JIT.  JIT is not sufficient for IL1
        - Aaron: moving JIT to SL* solves this?
        - Dick: I don't think of it as part of the session lifecycle
        - Aaron: make a requirement of SSO that a user is JIT created if
the user doesn't exist.
        - Dick: Not the whole lifecycle, only a step in it.  Immortal users
unless you can manage completely
        - Wes: Is the minimum bar immortal creation? Or min bar is
lifecycle management.
        - Dick: Full lifecycle is minimum
        - Travis: JIT with no lifecycle is a security issue. If JIT is in
the session, can we create ephemeral session identities
        - Wes: That's an issue to discuss, ephemeral identity tied to a
session lifetime.
        - Dick: Need language on this. Very app specific
        - Aaron: backing up. Many concerns:
            - Preprovisioning should not be forced to do JIT
            - JIT is needed due to race conditions
            - Is JIT creation a part of IL or SL?
        - MarkM: Correct capture of discussion. Consolidating entitlements
created this issue.
        - Dean: **TODO** File an issue on ephemeral identities.
        - Dean: If we put JIT in SL can we add explanatory text as to why
it fits there even though it's unnatural?
        - Dick: SL2 supports JIT?  Is that needed?
        - Aaron: Yes
        - Dick: Do we need a level that doesn't support JIT?
        - Mark: there are many apps that support preprovisioning but no JIT.
        - Aaron: Maybe the security comment is the way out - requiring JIT
doesn't add to security.  Maybe we're silent on JIT? JIT is a convenience
option.  IPSIE can make no guarantees about JIT.
        - Gennady: All for JIT.  No specs for JIT. If we use this name, it
doesn't define anything
        - Aaron: Means that user created because of SSO event
        - Gennady: Should we call that explanation out?
        - Aaron: In a new app, no users, how do users get created? JIT or
preprovision.
        - Gennady: Or as AWS does, create a role (Dean: is this the
ephemeral idea we discussed earlier?)
        - Dick: No lifecycle here.
        - Gennady: Lifecycle is based on policy, not user.
        - Dean: Can we just provide a note on JIT that it's not part of
IPSIE, but we recognize that it is useful in some contexts.
        - Aaron: Chair hat on, does this work /address concerns?
        - Travis: The app MAY allow for users to provision via JIT/SSO, but
MUST allow for those users to be managed under IL*.
        - Dick: JIT starts at the identity service as a mechanism of
provisioning
        - Aaron: the issue is that the service provides the SSO assertion
to an app with no explicit create user command
        - Travis: Main idea - if a user is JIT provisioned, IL* requires
that the user be fully managed after JIT provision
        - Aaron: Recap
            - 1. ID service decides if the user can login, would not create
assertion if they cannot
            - 2. Once you bring in lifecycle management, any users created
via JIT can be managed via the lifecycle
        - Dean: agree with this, don't need to define JIT, but need to
define that the lifecycle can manage JIT created users
        - MikeK: Agree with Dean/Travis/Aaron's recap
        - Aaron: the security issue is that JITed users can be managed
longterm
        - Nagesh: Can we abstract JIT into lifecycle management?
        - Aaron: ideal state, but not all apps meet this.
        - Dick: clarification - JIT is NOT a requirement for any IL*.
        - Aaron: Yes. We are taking a stance, if JIT happens, IL1 allows us
to take control over the identity.  Dick's PR is in a good state, need to
add context on JIT in the description.
        - Dick will add the text and we can merge.
        - Aaron: this puts us in a good spot on the levels once the PR is
merged
    - Dean: When do we draw a line to say we've made enough progress so we
can start working on normative tet
    - Aaron: Goal to get an interop at Gartner in December.  We need to
choose a level to achieve interop at, this means we need to define the
level with text to develop a draft.
    - Dean: Homework for next week - what do people think is the right cut
line for the interop draft?
    - Aaron: Map protocols for levels or cut line at level 1? Thoughts?
    - Dick: We'll learn a lot about this when we define a given level.
Suggestion: I'll push PR, then we email the list for a discussion.
    - Dean / Dick: Let's go define a set of levels and learn what we don't
know.
    - Dean: Chair hat on - we will start with a mailing list discussion and
suggest starting with SL1/IL1
    - Mark: can we have parallel tracks to define IL2/SL2
    - Dean: Let's not over commit - we focus on Il1/SL1, IL2/SL2 can follow
once drafts for the lower levels are defined
    - Aaron: scheduling for upcoming meetings will be challenging due to
travel, we'll update the WG.  We will start with SL1 and then move on to
IL1 starting with the next call.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250303/7cabdc67/attachment.htm>

More information about the Openid-specs-ipsie mailing list