[Openid-specs-ipsie] Just In Time Provisioning

[Dean H. Saxe]

Earlier this year we determined that a JIT provisioning mechanism was out
of scope for IPSIE, but should be allowed for IPSIE compliant systems to
allow for rapid onboarding of users when asynchronous provisioning systems
are slow.  However, we never captured any information about how these JITed
accounts are later bound to their owner in the identity management
service.  I’ve captured a few questions about JITed identities in issue 88
<https://github.com/openid/ipsie/issues/88>.

​

Ahead of next week’s IPSIE meeting can those who are interested in this
topic add feedback to the issue that make proposals for handling JITed
users?  I’d like to be able to add these details to the side-car doc which
will be applicable across multiple SL* profiles.  Specifically, I’m looking
for additional information on how to do account resolution (see #79
<https://github.com/openid/ipsie/issues/79>), how to manage failures in
account resolution, and whether a reaper process is required to clean up
the unmanaged JIT provisioned accounts.

​

My current thinking is that this is non-normative guidance.  However, if
the consensus is that this needs to be a standardized mechanism, I’m happy
to document it in that manner.

​

Thanks,

-dhs

​

--

Dean H. Saxe

dean at thesax.es
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250618/331b911e/attachment.htm>