[Openid-specs-ipsie] IL1 => deprovisioning is 80% of the value
Dick Hardt
dick.hardt at gmail.com
Tue Sep 16 15:14:07 UTC 2025
Quoting both Karl and ChatGPT, 80% of the value in directory sync is
deprovisioning.
What does everyone think of changing IL1 (or AL1 if we move to account
lifecycle) to be deprovisioning?
I'm proposing that we describe that the users may have been provisioned via
JIT or manually, and provisioning is out of scope for IL1.
In IL1, the identity service MUST do account resolution to link the app
identifiers with the identity service identifiers, and then the app must
deprovision an account when directed by the identity service.
An app delegating provisioning to the identity service would be included in
IL2 and would include profile and group membership.
Hopefully we will have some time to discuss today
/Dick
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250916/c55f0371/attachment.htm>
More information about the Openid-specs-ipsie
mailing list