IETF Logo Mail Archive

Re: [scim] Call this week

Phil Hunt <phil.hunt@oracle.com> Mon, 05 October 2015 23:00 UTC

Return-Path: <phil.hunt@oracle.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0E3D11A8766 for <scim@ietfa.amsl.com>; Mon, 5 Oct 2015 16:00:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.211
X-Spam-Level:
X-Spam-Status: No, score=-4.211 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7o1t5jlslru8 for <scim@ietfa.amsl.com>; Mon, 5 Oct 2015 15:59:59 -0700 (PDT)
Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BDBE81A8763 for <scim@ietf.org>; Mon, 5 Oct 2015 15:59:59 -0700 (PDT)
Received: from aserv0022.oracle.com (aserv0022.oracle.com [141.146.126.234]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id t95MxwN9018171 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 5 Oct 2015 22:59:59 GMT
Received: from userv0121.oracle.com (userv0121.oracle.com [156.151.31.72]) by aserv0022.oracle.com (8.13.8/8.13.8) with ESMTP id t95Mxv4J019499 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=FAIL); Mon, 5 Oct 2015 22:59:58 GMT
Received: from abhmp0005.oracle.com (abhmp0005.oracle.com [141.146.116.11]) by userv0121.oracle.com (8.13.8/8.13.8) with ESMTP id t95MxvpA011662; Mon, 5 Oct 2015 22:59:57 GMT
Received: from [10.0.1.22] (/24.86.216.17) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 05 Oct 2015 15:59:57 -0700
Content-Type: text/plain; charset="windows-1252"
Mime-Version: 1.0 (Mac OS X Mail 8.2 \(2104\))
From: Phil Hunt <phil.hunt@oracle.com>
In-Reply-To: <BN3PR0301MB12345AEA17072B82D9B585C3A6480@BN3PR0301MB1234.namprd03.prod.outlook.com>
Date: Mon, 05 Oct 2015 15:59:55 -0700
Content-Transfer-Encoding: quoted-printable
Message-Id: <8A178263-0BAD-4704-A0E1-83DBA7F54DBF@oracle.com>
References: <E5210BAF-DD1E-44C3-8E1F-A1CC82DF5E05@oracle.com> <BN3PR0301MB123484104EC2D11F4A94BABBA64E0@BN3PR0301MB1234.namprd03.prod.outlook.com> <BCE0CB49-4DB7-4345-9706-B3CD7CB30523@oracle.com> <36E5390F-CB49-490A-9BB5-30CFD545DA4A@nexusgroup.com> <56116F92.80202@mnt.se> <BN3PR0301MB12345AEA17072B82D9B585C3A6480@BN3PR0301MB1234.namprd03.prod.outlook.com>
To: Tony Nadalin <tonynad@microsoft.com>
X-Mailer: Apple Mail (2.2104)
X-Source-IP: aserv0022.oracle.com [141.146.126.234]
Archived-At: <http://mailarchive.ietf.org/arch/msg/scim/8dRrWZBCJIVUANV61FgFcnOBXMk>
Cc: Leif Johansson <leifj@mnt.se>, "scim@ietf.org" <scim@ietf.org>
Subject: Re: [scim] Call this week
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 05 Oct 2015 23:00:02 -0000

Summary of the informal last week. These are just my recollections - so please feel to correct and add on.

Attendees:

* Erik Wahlstrom
* Tony Nadalin
* Mike Jones
* Morteza Ansari
* Ian Glazer

As the WG is now between charters, some of us decided to talk about some of the items that have been discussed on the list. Some items are new, some are old. At this stage without more formal group discussion, I would not take this as any indication of priority. This is just what we managed to get through in the short time we had.  :-)

We discussed the following items:

Well-known:
The general feeling is that a simple well-known response for discovery of a SCIM root is strongly desirable.

There was less consensus on WebFinger. Mike indicated this would be helpful particularly in multi-tenancy scenarios because it could help a client locate a tenancy specific SCIM service provider based on a filter (e.g. userid or emails).

Notify:
Ian and Morteza indicated interest in getting back to work on this. We noted that there was a presentation from Confyrm at the Cloud Identity Summer about inter cloud-provider events.  Maybe this could tie in?  I (Phil) reported that the work on WebPUSH seems to be more divergent with out intent. 

Credentials:
We discussed some very rough ideas.  Some observations:
* Credentials might be shared by more than one user, device etc.  E.g a user might use a device and the same credential might be used to authenticate a device or the user on the device.  Erik mentioned a case where users might share a credential
* We could leverage the OAuth AMR draft from Mike in order to categorize credential types
* Handling as a simple multi-valued attribute might not be enough. Each credential may have common meta data (creation date, expiry etc) but may also have credential specific schema.
* We discussed making a credential instance its own resource type in SCIM (e.g. /Credentials). That would mean that each credential has its own resource identifier where the core schema for the resource type would have all the common management attributes (e.g. creation, expiry) etc and may have links to the owner/user of the credential.  Schema extensions for each credential type could be used to add authenticator specific attributes to the resources.

Downside:  By separating credentials from the User resources, it may impact how implementers get scale since credentials may have to be queried in a separate lookup. On a plus side, keeping credentials away from the User object may make access control easier to define — since non-priv access should not need access to credential resources.

We agreed to try to meet informally at IETF94. Hopefully one of the chairs can wangle a room.  We will work towards amending existing drafts and in the case of credentials, put enough information together to get an initial draft together.

I believe many of us are also going to IIW the week before. So we can definitely meet up there too.

Apologies if I left anything out or mis-construded/attributed comments.  I didn’t take notes this is just my recollection.

Phil

@independentid
www.independentid.com
phil.hunt@oracle.com

> On Oct 5, 2015, at 3:12 PM, Anthony Nadalin <tonynad@microsoft.com> wrote:
> 
> yes
> 
> -----Original Message-----
> From: scim [mailto:scim-bounces@ietf.org] On Behalf Of Leif Johansson
> Sent: Sunday, October 4, 2015 11:28 AM
> To: scim@ietf.org
> Subject: Re: [scim] Call this week
> 
> On 2015-09-30 09:07, Erik Wahlström neXus wrote:
>> Thursday works for me, not Friday.
>> / Erik
>> 
> 
> did you guys have a call?
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim&data=01%7c01%7ctonynad%40microsoft.com%7cf0af1fbb33ed42d9809908d2cce97b53%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=WBftVaoFTJKJOxLlu71ca7%2bf2BJKj80mIP%2bjVitKemk%3d
> 
> _______________________________________________
> scim mailing list
> scim@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

v2.23.0 | Report a Bug | By Email