<html><body><div dir="ltr">
IPSIE WG,</div><div dir="ltr"><br></div><div dir="ltr">Last week at IETF122 Aaron spoke about IPSIE at the SCIM WG. Following his presentation, I agreed to bridge work between the two WGs and keep the SCIM WG in the loop regarding IPSIE WG’s work. Please see my note to the SCIM WG below.</div><div dir="ltr"><br></div><div dir="ltr">I want to emphasize that IPSIE WG does not intend to create or update existing specs where there is already a natural home that work is taking place. If IPSIE determines that new features in SCIM are desirable for IPSIE, those features should be proposed and standardized in the SCIM WG. This is similar to how we’re working with AB Connect on the tenancy requirements, except there is no formal agreement in place between the OpenID Foundation and IETF.</div><div dir="ltr"><br></div><div dir="ltr">If there are any questions, please let me know.</div><div dir="ltr"><br></div><div dir="ltr">-dhs</div><div dir="ltr"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--<br><div dir="ltr">Dean H. Saxe, <a href="https://idpro.org/cidpro/">CIDPRO</a> (he/him)</div><div dir="ltr">Principal Engineer</div><div dir="ltr">Office of the CTO</div><div dir="ltr">Beyond Identity</div><div dir="ltr"><a href="mailto:dean.saxe@beyondidentity.com">dean.saxe@beyondidentity.com</a></div><div><br><div><br></div></div></div></div></div><br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">---------- Forwarded message ---------<br>From: Dean Saxe <<a href="mailto:dean.saxe@beyondidentity.com">dean.saxe@beyondidentity.com</a>><br>Date: Mar 19, 2025 at 11:42:04 PM<br>Subject: OpenID Foundation IPSIE WG<br>To: SCIM WG <<a href="mailto:scim@ietf.org">scim@ietf.org</a>></div>
<br><br>
<div><div><div dir="ltr">Hello SCIM WG,<div><br></div><div dir="ltr">Following Aaron Parecki’s presentation on IPSIE yesterday (<a href="https://meetecho-player.ietf.org/playout/?session=IETF122-SCIM-20250319-0830">video</a>, <a href="https://notes.ietf.org/notes-ietf-122-scim">notes</a>), I’d like to follow up on the mailing list with more details about IPSIE and the intersection with the SCIM WG.</div><div dir="ltr"><br></div><div dir="ltr"><b>What is IPSIE? </b></div><div dir="ltr">The Interoperability Profiling for Secure Identity in the Enterprise (IPSIE) Work Group develops interoperability and security profiles of existing specifications that enable secure identity management within the enterprise.</div><div><a href="https://openid.net/wg/ipsie/">https://openid.net/wg/ipsie/</a></div><div><br></div><div dir="ltr"><b>How does IPSIE intersect with SCIM WG?</b></div><div dir="ltr">As written in our <a href="https://openid.net/wg/ipsie/ipsie-charter/">charter</a>:</div><div dir="ltr"><br></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div dir="ltr">This working group will develop profiles of existing specifications with the primary goal of achieving independent implementations being interoperable, while also prioritizing secure defaults within the specifications.</div><div dir="ltr"><div dir="ltr"><br></div></div><div dir="ltr"><div dir="ltr">The initial problem space of the working group is focused around:</div></div><div dir="ltr"><div dir="ltr"><br></div></div></blockquote><div dir="ltr"><div dir="ltr"><ul style="margin:0px"><ul><li>Single Sign-On</li><li><i><b>User Lifecycle Management</b></i></li><li><i><b>Entitlements</b></i></li><li>Risk Signal Sharing</li><li>Logout</li><li>Token Revocation</li></ul></ul></div><div dir="ltr"><br></div><div dir="ltr">Although we have not chosen specific protocols for user lifecycle management and entitlements, SCIM represents an existing set of protocols that may be profiled by IPSIE as part of our scope of work. If we profile SCIM, we want to work closely with the IETF SCIM WG to do so. Should there be a need to add to the SCIM protocols, that work is best carried out within the SCIM WG. IPSIE does not intend to create new protocols or update existing protocols as part of its work. We would prefer that work is completed in its natural home, e.g. the SCIM WG.</div><div dir="ltr"><br></div><div dir="ltr"><b>What is the current state of IPSIE?</b></div><div dir="ltr">As of today, we have completed our initial work to define <a href="https://github.com/openid/ipsie/blob/main/ipsie-levels.md">IPSIE “levels”</a> in two tracks: Identity Lifecycle (IL) and Session Lifecycle (SL). Each track specifies the capabilities we wish to achieve for both the identity services and applications used by an enterprise. SCIM fits into the IL series of capabilities:<br><br><img src="cid:7D6E7DB7-5D4D-46A0-B40F-B61F6AA70540" style="max-width: 100%; width: 1130px;"><br><br></div><div dir="ltr"><b>What next? How can I help?</b></div><div dir="ltr">Now that we have defined the levels, the WG has started work on defining the profiles for SL1 and IL1. Our intent is to deliver a draft profile later this year so that we may hold an interop event at Gartner IAM in December, 2025. At this time, we do not have a draft profile for IL1. We welcome members of the SCIM WG to contribute to a IL1 profile. Contributors do not need to be OpenID Foundation members, however, they must sign the OpenID Foundation <a href="https://openid.net/intellectual-property/openid-foundation-contribution-agreements/">contribution agreement</a>.</div><div dir="ltr"><br></div><div dir="ltr"><b>Where can I find more information?</b></div><div dir="ltr"><b><br></b></div><div dir="ltr"><div dir="ltr">As co-chair of the IPSIE WG, I’ll serve as the bridge between the two groups and provide future updates to the SCIM WG about the work in IPSIE WG.</div></div><div dir="ltr"><b><br></b></div><div dir="ltr"><a href="https://openid.net/wg/ipsie/">IPSIE WG Homepage</a></div><div dir="ltr"><a href="https://github.com/openid/ipsie/">IPSIE WG GitHub Repo</a> - current documents and meeting minutes can all be found here</div><div dir="ltr"><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ipsie?_gl=1*1oiaoif*_ga*NzI0Nzg4OTMyLjE3MjYwNjU5OTg.*_ga_NF8HNLNJJE*MTc0MjQ1MDg2OC4zNy4xLjE3NDI0NTI3MjkuMC4wLjA.&_ga=2.196557412.91786334.1742450871-724788932.1726065998">IPSIE WG Mailing List</a><span class="Apple-tab-span" style="white-space:pre"> </span></div><div dir="ltr">The IPSIE chairs (myself and Aaron Parecki) can be reached at <a href="mailto:openid-specs-ipsie-owner@lists.openid.net">openid-specs-ipsie-owner@lists.openid.net</a>.<br></div><div dir="ltr"><br></div><div dir="ltr">The WG meets weekly on Tuesday at 09:00 Pacific Time (GMT-7 until November, 2025). Call details can be found on the <a href="https://openid.net/calendar/">OpenID Calendar</a>.</div><div dir="ltr"><br></div><div dir="ltr">If you have any questions, please let me know.</div><div dir="ltr"><br></div><div dir="ltr">Respectfully,</div><div dir="ltr">-dhs</div><div dir="ltr"><br></div><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">--<br><div dir="ltr">Dean H. Saxe, <a href="https://idpro.org/cidpro/">CIDPRO</a> (he/him)</div><div dir="ltr">Principal Engineer</div><div dir="ltr">Office of the CTO</div><div dir="ltr">Beyond Identity</div><div dir="ltr"><a href="mailto:dean.saxe@beyondidentity.com">dean.saxe@beyondidentity.com</a></div><div><br><div><br></div></div></div></div></div></div></div></div></div>
</div></body></html>