-
Notifications
You must be signed in to change notification settings - Fork 9
2024‐12‐17
Aaron Parecki edited this page Dec 17, 2024
·
2 revisions
Date: 2024-12-17
- Aaron Parecki (Okta)
- Dean H. Saxe (Beyond Identity)
- Erik Gomez (JGSW)
- Travis Tripp (HPE)
- Tom Clancy (MITRE)
- Brian Soby (AppOmni)
- Gennady Shulman (?)
- Shannon Roddy (Self/LBNL)
- Matt Topper (Uber Ether)
- Dick Hardt (Hellō)
- Victor Lu (indepedent)
- Tim Cappalli (Okta)
- Kenn Chong (RSA)
- Mike Kiser (SailPoint)
- Jen Schreiber (Workday)
- Apoorva Deshpande (Okta)
- George Fletcher (Capital One)
- Welcome and antitrust policy reminder
- Review terminology definitions
- Discuss and refine IPSIE levels
- Define milestones
Notetaker Dean H. Saxe
-
Antitrust statement reminder
-
Reminder to sign the contribution agreement
-
Today's agenda (see above)
-
Terminology review
- first attempt to clarify what we mean
- terminology definitions
- Not comprehensive, but we need common usage
- Dean made some updates to address what an enterprise is
- Gennady: may be confusing - are we only covering IdP for the enterprises?
- Aaron: Intent is to talk about the service the company is using to manage their identities, not social/consumer identity.
- Gennady: Need to change to IdP for enterprise, perhaps?
- Tim: Avoids the use of "enterprise", prefers "workforce"
- Aaron: Maybe this is a way to bring in more customers, not exclude
- Tim: try to use workforce
- Travis: A lot of providers use "organization" due to broader coverage
- Shannon: Workforce/Customer are also loaded terms
- Dean: let's get to good enough. Perfect is not necessary.
- Aaron: So we're not ambiguous in our future writing.
- Gennady: likes organization, not a loaded term
- Shannon: Enterprise is in the WG name
- Tim: IPSIW (IPSeeewwwwww) (just kidding)
- Tim: Describe the pattern. Enterprise isn't descriptive enough.
- MattT: Are we sure it's b2B SaaS? Or is it within an enterprise?
- MikeK: B2B usually refers to 2 diff. entities, this is really internal scenarios
- Tom: The org has some policy/authority to deliver assurance for its services.
- Travis: (copied from chat)
User as an Organization's Representative: A user is recognized as a representative of an organization, empowered with certain privileges to procure and utilize services on the organization's behalf.
Organizational Ownership and Rights: The organization retains ownership over its user’s interactions with various service providers. The organization holds the authority to grant or revoke any individual user's privileges whenever deemed necessary.
Verification of User Rights: Before a user can act on behalf of their organization, their right to represent must be verified, beginning with the authentication of their identity.
Delegation of Privileges: Once an identity is authenticated, an organization can then delegate specific rights and responsibilities to that user.
Cross-Organizational Trust: An organization can opt to grant certain privileges or trust to users originating from outside its boundaries.
Implementation of Policies: Organizations implement procedures and decisions through well-defined policies and identity governance tools and frameworks.
- Tim: Do we plan to normatively refer to enterprises in specs? Workforce IdP vs Enterprise IdP
- Dick: workforce is an actor, was more aligned on "organization". We need a broad definition around enterprise.
- Tim & Dick: let's not bikeshed on this.
- Aaron: Should we try to clarify enterprise?
- Dick: yes
- Dick: Don't need to define "enterprise IdP", it's contextual
- Aaron: Will clarify in the text that it's the enterprise's IdP
- Travis: Will add a list of providers that use "organiztion"
- AWS, GCP, Azure, Oracle Cloud, Dell Apex, HPE GreenLake, Atlassian, Slack, Adobe Creative Cloud, GitHub, New Relic, Salesforce, Google Workspace, SAP S/4HANA, Auth0
- Gennady: should we define a set of synonyms? Enterprise = Tenant?
- Dick / Tim: Tenant has a different meaning
- Aaron: Let's capture all the terms. Tenant is not exactly equivalent to an org, but it is a common term.
- Crosstalk: tenant / org / enterprise / child tenants - there's a lot of confusion
- Gennady: discusses how MSFT describes tenants
- Getting offtrack...
- Aaron / Dean: Let's make these changes in the doc and then add PRs for additional definitions/edits to definitions. Aaron is publishing a PR #27
-
-
Gartner event
- Aaron: SSF CAEP interop happened last week, well received, lots of attendees
- https://openid.net/shared-signals-interoperability-at-gartner-iam/
- Aaron: Can we take a goal for an interop in the future?
- broad set of topics, we need to set levels in order to be able to make it to an interop in the future
- Levels for IPSIE
- Aaron: progressing up levels gives new capabilities
- L1: better than the default today, but it's a minor step higher
- Maybe this is where we do an interop next year?
- Aaron is not tied to any of these levels - this is a starting point
- Dick: Loves this, great start. Suggests MFA is IPSIE L1.
- Aaron: MFA should be a requirement for companies, but the challenge is what does the protocol say about MFA. L1 IdP enforced, there is no interop story, the RP doesn't need to know/care about this. L2 changes, RP and IdP need to be able to communicate about MFA.
- Dick: can the app (RP) request MFA at L1?
- JenS: Levels are meant to build on each other? What if an IdP doesn't offer provisioning?
- Aaron: this is meant to build on lower levels. Needs more discussion
- Jen: Higher levels, maybe I don't want to provision users but I want to send a signal. How can I express that?
- MikeK: will submit PRs to discuss this in more detail, how do we get to optionality?
- George: Trying to separate MFA from provisioning. Looking at how to work when the logins are not federated. Can I assert a particular AAL against a SaaS provider without federation?
- Travis: Likes the separation between MFA and provisioning. Represents real world environments which do a lot of mix and match between providers. Are these fully heirarchical levels?
- Dean: Can we pull these apart into separate threads? And then frame up compliance for each of them?
- Tim: Mapping to *AL should not be part of IPSIE. Mapping to these is not the right approach.
- Aaron: Not tied to referencing these terms - this talks about how federation/SSO work. FAL2 seemed appropriate as a step above default SAML/OIDC.
- Matt: FAL3 is impossible in practice
- Dick: Like the idea of levels. 2 main vectors - authN security (IPSIE AuthN levels) and provisioning (IPSIE Provisioning Levels)
- Aaron: good point, we can group these into 2 buckets/vectors
- Dean: I like the vectors, is there a third authZ vector?
- Dick: Disagrees on using an authZ vector
- Aaron: login/logout isn't the right term, it's more of session management (also a loaded term).
- George: step up flows are an authZ policy. The enterprise defines authZ controls.
- Aaron: This is a higher level of SSO. This idea rides on top of SSO. Maybe this is a higher tier of the login/logout vector.
- George: if the user isn't on the corp VPN, maybe we need a stepup event.
- Aaron: We know apps have their compliance requirements that get mixed with corporate/enterprise requirements.
-
Aaron: We're off for the next two weeks due to holidays - what's next
- Aaron: tempted to change this into two sections, one per vector. This is a starting point
- Dick: instead of how, let's focus on driving alignment in the vectors.
- Jen: Created issues
- Aaron: We can tag those issues in the vector table for organization. Started writing to clarify per Dick's point.
- Tom: must use vs. must make available - each vector has security requirements to put MUST in front of. We want to ensure there is optionality for use cases where tailoring is required.
- Dick: this is confusing to me. You are or are not compliant, what's the optionality?
- Aaron: Example: IPSIE L2 app has the ability to request an MFA level from the IdP. IdP doesn't have to respond to it.
- Tom: Optionality within implementations to make them interop.
- Aaron: not trying to describe how things work, describing the interop to work together.