<head>
<style>
code {
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
}
p {
min-height: 19.5px; /* Set a minimum height so empty p tags still take up vertical space; matches gmail empty line height */
border-radius: 0px;
}
ol.custom-editor-ordered-list-class {
padding-inline-start: 0px;
margin: 1px 0px;
padding-inline-start: 24px;
min-height: calc(1.5em + 6px);
}
ul.custom-editor-bullet-list-class {
padding-inline-start: 0px;
margin: 1px 0px;
padding-inline-start: 24px;
min-height: calc(1.5em + 6px);
}
pre.custom-editor-code-block-class {
flex-shrink: 1;
text-align: left;
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
font-size: 13.6px;
tab-size: 2;
padding: 34px 16px 32px 32px;
min-height: 1em;
white-space: pre;
border-radius: 4px;
text-align: left;
position: relative;
background: rgba(135,131,120,.15);
min-width: 0px;
width: 100%;
box-sizing: border-box;
}
hr.custom-editor-divider-class {
border: none;
border-top: 1px solid rgba(135,131,120,.15);
width: 100%;
}
blockquote {
border-left: 3px solid currentcolor;
padding-inline-start: 14px;
margin: 0px;
margin-top: 4px;
font-size: 1em;
padding-right: 2px;
padding-top: 3px;
padding-bottom: 3px;
padding-left: 14px;
}
blockquote.light {
border-left-color: rgba(55, 53, 47, 0.16);
}
blockquote.dark {
border-left-color: rgba(255, 255, 255, 0.13);
}
aside {
display: flex;
width: 100%;
max-width: 100%;
box-sizing: border-box;
border-radius: 4px;
background: rgba(135,131,120,.15);
padding: 16px 16px 16px 12px;
white-space: pre-wrap;
word-break: break-word;
}
.callout-emoji {
user-select: none;
display: flex;
align-items: center;
justify-content: center;
height: 24px;
width: 24px;
font-size: 21.6px;
box-sizing: border-box;
margin-top: -3px;
border-radius: 0.25em;
flex-shrink: 0;
flex-grow: 0;
}
.callout-emoji > img {
height: 18px;
width: 18px;
margin-top: auto;
margin-bottom: auto;
}
.callout-content {
margin-left: 8px;
margin-top: auto;
display: table;
width: 100%;
}
.custom-editor-task-list-class {
list-style: none;
padding: 0;
margin: 0;
}
.custom-editor-task-item-class {
display: flex;
align-items: center;
}
.custom-editor-task-item-class > label {
margin-right: 0.5rem;
cursor: pointer;
user-select: none;
display: flex;
align-items: center;
}
.custom-editor-task-item-class > label > input[type="checkbox"] {
margin-right: 0.5rem;
}
.custom-editor-task-item-checked-class > * {
text-decoration: line-through rgba(55, 53, 47, 0.42);
color: rgba(55, 53, 47, 0.65);
}
.custom-editor-rendered-mention {
opacity: 0.6;
color: unset;
}
.custom-editor-rendered-mention > a {
color: unset;
}
.custom-editor-rendered-mention-page {
font-weight: 500;
max-width: 200px;
}
.custom-editor-rendered-mention-page > a {
color: unset;
}
.custom-editor-rendered-mention-page-link {
border-bottom: 0.05em solid rgba(95, 94, 91, 1);
text-decoration: none !important;
}
pre {
flex-shrink: 1;
text-align: left;
font-family: SFMono-Regular, Menlo, Consolas, "PT Mono", "Liberation Mono", Courier, monospace;
font-size: 13.6px;
tab-size: 2;
padding: 34px 16px 32px 32px;
min-height: 1em;
white-space: pre;
border-radius: 4px;
text-align: left;
position: relative;
background: rgb(247, 246, 243);
min-width: 0px;
width: 100%;
box-sizing: border-box;
text-wrap: wrap;
}
a.custom-editor-link-class {
color: rgba(120, 119, 116, 1);
cursor: pointer;
text-decoration-thickness: 0.05em;
text-underline-offset: 3px;
}
</style>
<style>
* {
-webkit-tap-highlight-color: rgba(0, 0, 0, 0);
-webkit-font-smoothing: antialiased;
line-height: 1.3;
font-family: ui-sans-serif, -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, "Apple Color Emoji", Arial, sans-serif, "Segoe UI Emoji", "Segoe UI Symbol";
}
p {
margin: 0px 0px 0px 0px !important;
}
</style>
</head>
<body>
<p dir="auto">Earlier this year we determined that a JIT provisioning mechanism was out of scope for IPSIE, but should be allowed for IPSIE compliant systems to allow for rapid onboarding of users when asynchronous provisioning systems are slow. However, we never captured any information about how these JITed accounts are later bound to their owner in the identity management service. I’ve captured a few questions about JITed identities in <a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="https://github.com/openid/ipsie/issues/88">issue 88</a>.</p><p dir="auto"></p><p dir="auto">Ahead of next week’s IPSIE meeting can those who are interested in this topic add feedback to the issue that make proposals for handling JITed users? I’d like to be able to add these details to the side-car doc which will be applicable across multiple SL* profiles. Specifically, I’m looking for additional information on how to do account resolution (see <a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="https://github.com/openid/ipsie/issues/79">#79</a>), how to manage failures in account resolution, and whether a reaper process is required to clean up the unmanaged JIT provisioned accounts.</p><p dir="auto"></p><p dir="auto">My current thinking is that this is non-normative guidance. However, if the consensus is that this needs to be a standardized mechanism, I’m happy to document it in that manner.</p><p dir="auto"></p><p dir="auto">Thanks,</p><p dir="auto">-dhs</p><p dir="auto"></p><div class="signature"><p dir="auto">--</p><div dir="auto"><p dir="auto">Dean H. Saxe</p></div><div dir="auto"><p dir="auto"><a target="_blank" rel="noopener noreferrer nofollow" class="custom-editor-link-class" href="mailto:dean@thesax.es">dean@thesax.es</a></p></div></div>
</body>