[WG-OTTO] FW: [scim] [OAUTH-WG] Simple Federation Deployment

Keith Hazelton keith.hazelton at wisc.edu
Wed Apr 6 09:35:07 CDT 2016


Sound familiar?
--
email & jabber: keith.hazelton at wisc.edu<mailto:keith.hazelton at wisc.edu>
calendar: http://go.wisc.edu/i6zxx0

From: scim <scim-bounces at ietf.org<mailto:scim-bounces at ietf.org>> on behalf of Phil Hunt <phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>>
Date: Wednesday, April 6, 2016 at 08:01
To: "Hardt, Dick" <dick at amazon.com<mailto:dick at amazon.com>>
Cc: Tony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>>, Gil Kirkpatrick <gil.kirkpatrick at viewds.com<mailto:gil.kirkpatrick at viewds.com>>, Nat Sakimura <n-sakimura at nri.co.jp<mailto:n-sakimura at nri.co.jp>>, "oauth at ietf.org<mailto:oauth at ietf.org>" <oauth at ietf.org<mailto:oauth at ietf.org>>, SCIM WG <scim at ietf.org<mailto:scim at ietf.org>>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

I think it is worth discussing in oauth wg.

While SCIM has issues, I think it represents a broader use case that other applications have that are deployed widely.

Phil

@independentid
www.independentid.com<http://www.independentid.com>
phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>





On Apr 6, 2016, at 9:52 AM, Hardt, Dick <dick at amazon.com<mailto:dick at amazon.com>> wrote:

Sounds like there is interest.

SCIM or OAUTH?

-- Dick

On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <tonynad at microsoft.com<mailto:tonynad at microsoft.com>> wrote:

I would be interested also

Sent from my Windows 10 phone

From: Gil Kirkpatrick<mailto:gil.kirkpatrick at viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-sakimura at nri.co.jp>; 'Hardt, Dick'<mailto:dick at amazon.com>; 'Phil Hunt (IDM)'<mailto:phil.hunt at oracle.com>
Cc: scim at ietf.org<mailto:scim at ietf.org>; oauth at ietf.org<mailto:oauth at ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

That’s an issue we’re facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-bounces at ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <dick at amazon.com<mailto:dick at amazon.com>>; 'Phil Hunt (IDM)' <phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>>
Cc: scim at ietf.org<mailto:scim at ietf.org>; oauth at ietf.org<mailto:oauth at ietf.org>
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

From: scim [mailto:scim-bounces at ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>>
Cc: scim at ietf.org<mailto:scim at ietf.org>; oauth at ietf.org<mailto:oauth at ietf.org>
Subject: Re: [scim] Simple Federation Deployment

I’m talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of  config that is error prone and unique for each relationship.

Don’t want to solve on the thread … looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-bounces at ietf.org<mailto:scim-bounces at ietf.org> on behalf of phil.hunt at oracle.com<mailto:phil.hunt at oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <dick at amazon.com<mailto:dick at amazon.com>> wrote:
Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

  1.  Admin authenticates to IdP in browser
  2.  Admin selects SaaS app to federate with from list at IdP
  3.  IdP optionally presents config options
  4.  IdP redirects Admin to SaaS app
  5.  Admin authenticates to SaaS app
  6.  SaaS app optionally gathers config options
  7.  SaaS app redirects admin to IdP
  8.  IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App

Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

— Dick
_______________________________________________
scim mailing list
scim at ietf.org<mailto:scim at ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim&data=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://kantarainitiative.org/pipermail/wg-otto/attachments/20160406/92df1b93/attachment-0001.html>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: ATT00001.txt
URL: <http://kantarainitiative.org/pipermail/wg-otto/attachments/20160406/92df1b93/attachment-0001.txt>


More information about the WG-OTTO mailing list