[Openid-specs-ipsie] IL1 => deprovisioning is 80% of the value
Dick Hardt
dick.hardt at gmail.com
Tue Sep 16 17:27:18 UTC 2025
https://github.com/openid/ipsie/pull/113
On Tue, Sep 16, 2025 at 4:14 PM Dick Hardt <dick.hardt at gmail.com> wrote:
> Quoting both Karl and ChatGPT, 80% of the value in directory sync is
> deprovisioning.
>
> What does everyone think of changing IL1 (or AL1 if we move to account
> lifecycle) to be deprovisioning?
>
> I'm proposing that we describe that the users may have been provisioned
> via JIT or manually, and provisioning is out of scope for IL1.
>
> In IL1, the identity service MUST do account resolution to link the app
> identifiers with the identity service identifiers, and then the app must
> deprovision an account when directed by the identity service.
>
> An app delegating provisioning to the identity service would be included
> in IL2 and would include profile and group membership.
>
> Hopefully we will have some time to discuss today
>
> /Dick
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ipsie/attachments/20250916/84de315f/attachment.htm>
More information about the Openid-specs-ipsie
mailing list