[Openid-specs-risc] Call notes

Atul Tulshibagwale atul at sgnl.ai
Tue Jan 28 18:47:07 UTC 2025 

Hi all,
Here are the notes from today's special WG meeting, which was largely the
conformance testing workshop. The meeting notes are also stored here
<https://hackmd.io/@oidf-wg-sse/wg-meeting-20250128>.

Please note that if you are interested in participating in the Gartner IAM
Summit SSF / CAEP interoperability testing event, please email me at:
atul at sgnl.ai. No commitment right now, but we will soon be asking for
commitments as we are on a short timeline. The official blog post
announcing the call for participation and which links to the program rules
is here:

https://openid.net/shared-signal-wg-returns-to-gartner-iam-for-interoperability/

Thanks to all those who attended, and to Thomas for presenting his work,
Atul

-- 

 Atul Tulshibagwale

 CTO

  <https://www.linkedin.com/in/tulshi/> <atul at sgnl.ai>

WG Meeting: 2025-01-28Agenda

   -

   Gartner IAM interoperability test announcement
   -

   SSF Conformance testing workshop

Attendees

   -

   Thomas Darimont (presenteer, OIDF)
   -

   Atul Tulshibagwale (SGNL)
   -

   Mike Kiser (SailPoint)
   -

   Chiranjeewee Koirala(SGNL)
   -

   Yair Sarig (Omnissa)
   -

   James Slocum (Beyond Identity)
   -

   Steven Myers (Cisco)
   -

   Mark Haine (OIDF)
   -

   Eva Kuchrykova (Jamf)
   -

   Swathi Kollavajjala (Cisco)
   -

   Stanley Ye (Omnissa)
   -

   Mike Leszcz (OIDF)
   -

   Sam Weiss (Jamf)
   -

   Alexey Emelyanov (?)
   -

   Eva Kuchrykova (?)
   -

   Gail Hodges (OIDF)
   -

   Jordan Goodyear (?)
   -

   Mahanth Hiremath (Omnissa)
   -

   McCrackenG (?)
   -

   Rahul (Omnissa)
   -

   Saurav Kumar (Omnissa)
   -

   Vijeth R (Omnissa)
   -

   Vladimir Slesarev (?)
   -

   Victor Soon (IBM)

NotesGartner IAM call for participation in the interop

   -

   Send email to atul at sgnl.ai if you are interested in participating.
   -

   SSF Gartner Interop Event blog post:
   https://openid.net/shared-signal-wg-returns-to-gartner-iam-for-interoperability/

SSF Conformance testing workshop

   -

   Need Google or GitLab account in order to login to the conformance
   testing website.

   -

   Preview Environment:
   https://review-app-dev-branch-3.certification.openid.net/login.html

   -

   You can setup the conformance tests yourself or run it in the OpenID
   cloud environment

   -

   (Gail) where will you be asking for implementers to direct questions as
   they start to test and hit issues and questions along the way? Slack for
   the march gartner event? The ss wg slack? Or one specific to tests?

   And when can people start running their implementations through? After
   migration to the main hosting site in a couple days?

   -

   (Thomas) I will be getting to that in a few minutes

   -

   (Steven) I might have jumped ahead but I ran through the conformance
   tests to follow along :)

   I’m just stuck because I provided this discovery URI
   https://test.sharedsignals.duosecurity.com/.well-known/ssf-configuration/sharedsignals
   but the metadata test rewrites the discovery URI as
   https://test.sharedsignals.duosecurity.com/sharedsignals/.well-known/ssf-configuration
   and gets a 404

   -

      (James) did you set the server metadata location to "static" instead
      of "discovery"?
      -

      (Steven) Ah thanks it was set to dynamic
      -

   (Yair) Does the audience need to be specified beforehand?

   -

      (Mike Kiser) Spec claims the audience is transmitter supplied
      -

   (Yair) Is the push endpoint supposed to be provided by the Transmitter?

   -

      (Thomas) My understanding is that the Receiver provides the push
      endpoint
      -

      (Yair) But if I'm testing the transmitter, then shouldn't I be able
      to specify what the push endpoint should be in the Transmitter response?
      -

      (Thomas) For push, the test suite has a functionality where it
      dynamically exposes the push endpoint from the alias that you have
      configured.
      -

   (Atul) Why does the transmitter need to specify the push endpoint?

   -

      (Thomas) The conformance test specifies the push endpoint, because it
      is acting as a Receiver
      -

   (Yair) How did you create the audience value? Was it added after the
   stream was created?

   -

      (Thomas) The transmitter metadata suffix is just the subscriber
      identifier independent of the stream that I create.
      -

   (Thomas) Setup Instructions for Running the conformance suite locally

   https://docs.google.com/document/d/1pvtWWJ2RD_l9an_3-g-Kaa2K9zu6H9XDXq7kGIdyla4/edit?tab=t.0

   -

   (Brian) Do we need Java and Maven locally or inside the docker container?

   -

      (Thomas) It is most convenient inside the docker container. You could
      do it by installing it on the host, but it is more complicated (MongoDB,
      etc. will be required)
      -

   (Brian) Specifying the audience in advance is an issue for us adopting

   -

   (Chiranjeewee) Is there a way to authenticate the metadata endpoing as
   well?

   -

      (Thomas) Metadata endpoing is not authenticated at all.
      -

      (Chiranjeewee) Is there a way to do that though?
      -

      (Thomas) No, but what is the use case?
      -

      (Chiranjeewee) SGNL currently has the metadata endpoint behind the
      access token
      -

      (Thomas) Currently we don't support it, but we could allow you to
      specify a custom header with every request. You could always place a
      reverse proxy in between and insert the authentication header
there without
      us having to change the conformance tests
      -

   (James) I'm able to do the testing on my end, thank you very much

   -

   (Yair) how can we send feedback?

   -

      (Thomas) Email, or OIDF slack or IDPro slack
      -

      (Thomas) Once it is up in the GitLab repo, you can raise issues
      -

      (Thomas) See feedback section
      -

   (Thomas) We also are looking for vendor environments which we can hit
   for our CI environments. Currently using caep.dev, but it needs to solve
   some issues we identified earlier. We need to get more stable environments
   to test against.

   -

   (Thomas) Since you are more familiar with the spec than I am, please
   provide feedback if the tests are doing something wrong

   -

   (Brian) I've provided access to one of our demo instances so that you
   can see the audience issue

   -

   (Chiranjeewee) I'm getting a DNS lookup failure for the server

   -

      (Thomas) Perhaps you can reach out later. You need to provide the
      hostname alias locally
      -

      (Chiranjeewee) I've done that
      -

   (Steven) We at Cisco have been able to run the tests.

   -

   (Brian) We only support explicitly added subjects, we have a lot of
   users, so we need to be able to only send events for subjects of interest

   -

      (Yair) We don't do that because we don't want to manage a large
      number of subject values
      -

      (Steven) So how are you doing it right now?
      -

      (Yair) Everything is tenant specific, and each stream gets to specify
      which types of events.
      -

      (Steven) So you are tying the tenants to the receivers
      -

      (Yair) We have hard separation between tenants, so its as good as
      other tenants don't exist
      -

   (Thomas) The tests can be run in a headless mode for running in your CI
   environment. The configuration can be fed as a JSON file, and then you can
   run it within your CI environment. I will provide an example setup for this.


Action ItemsFeedback

If you have any feedback feel free to reach out via thomas.darimont at oidf.org
or DM me on the OpenID slack.
If you want to file issues for the conformance suite, please go to
https://gitlab.com/openid/conformance-suite/-/issues
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-risc/attachments/20250128/e064901d/attachment-0001.htm>

More information about the Openid-specs-risc mailing list