IETF Logo Mail Archive

[scim] Notes and action items from the 6/25 interest group call

Darran Rolls <me@darranrolls.com> Tue, 30 June 2020 16:44 UTC

Return-Path: <me@darranrolls.com>
X-Original-To: scim@ietfa.amsl.com
Delivered-To: scim@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BE5563A0C10 for <scim@ietfa.amsl.com>; Tue, 30 Jun 2020 09:44:06 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=netorgft6405300.onmicrosoft.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BDLFXHStjtcS for <scim@ietfa.amsl.com>; Tue, 30 Jun 2020 09:44:04 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11on2124.outbound.protection.outlook.com [40.107.220.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9C1B43A0BFE for <scim@ietf.org>; Tue, 30 Jun 2020 09:44:04 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=nyiQMbvRYWI2mVxYtx18VMx5K9ml1Cq0SdqSPtTZXxkRPRneBAG07x3PbmMwU/+Yh2j1XW2nBDQPAX5mbitFVe5lwgDN5WgcT34TlB044P2r93rvYcKe4H6Z55z6iG47dOXIGadBnUS2uwl5LsoSFRhJ3aGLDibUvmTbSnVioSJdK6Ro23x+A3tI3fLGN3ckXU6Fcw9DDCrUdEACxHTbJR2WNhU01bAyN5lKBRKUdpZPdC01mVqWa3GW3JRKk46vUFng4xeJOVp7fXOWcy1uVGiSV58B5iBYH01+1a4LxyvPlSxe6Rv08ret8EgAZbBUS1drnxOuY2OM3ssgBFkoKA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ehF2Ay8ijoRJVB1rzTjJsWsjP+Iy9cZ3t1W+8u0oxAo=; b=A/V+1iooRfT1XtWHZfg1vXDjtH2xVKe0BrURG25Azhi7byMYCYMWZIt3UYQM7z4HT6O+H1b/pm4HZcfMbQy0SWcNCS94jfQ8kpFNq0AM8PaocEMGAWk6JgZnVR5m177ikjMAs8i1W6QCKLrI4xp2VujGvcAsmJJ7geBLZavUCrdHnxdUNX4bkVC2bsZQ/HjLxQA1f08Np0SquuOht6PFuVecbPezW6mtP4urV7iSBIVabFHR8Luifp/22/3c6FBRB3k7Zk0/GwNftG7Jbd5xf6Og8marpZ0984m+z8jSKAca9TOyzQNOc0hRYfbaa8rypAzmFleaKL2KY/aMOBUjjw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=darranrolls.com; dmarc=pass action=none header.from=darranrolls.com; dkim=pass header.d=darranrolls.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=NETORGFT6405300.onmicrosoft.com; s=selector1-NETORGFT6405300-onmicrosoft-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ehF2Ay8ijoRJVB1rzTjJsWsjP+Iy9cZ3t1W+8u0oxAo=; b=jGTXQRrIWqg/cN5BYHCMENomhdIBIWoGjQIjVmjq6lq6+xA0FvUxdcrmvcjH+U9aKbFT0M4pamNxBotfsP8Hr7M4ukjifMMoytr2ah/MKjFo3Q+x5O4WKGa162G5m2BMGlwrbzSit8xrDYrcxfKp2oIIFN9QAODR8zLo0Oq6S7LMOzw/FP+VJc+jEMYulyqkbVQC9autYT3cQiifVAxN/UvSThFCZETJYUqyh30kt1iLtvDe8SE/YDE5J5TLwnta39WAJPttcdzMTQbQspSaZBbJOD3CJZSXlHJjGc9ZFsj5I826daAyoosi4cf2j/Y1nTgg7k3zGg/7TtJ29+vtDw==
Received: from DM6PR13MB3868.namprd13.prod.outlook.com (2603:10b6:5:229::13) by DM5PR1301MB1993.namprd13.prod.outlook.com (2603:10b6:4:31::39) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3153.10; Tue, 30 Jun 2020 16:44:02 +0000
Received: from DM6PR13MB3868.namprd13.prod.outlook.com ([fe80::4d43:75e3:341c:20bb]) by DM6PR13MB3868.namprd13.prod.outlook.com ([fe80::4d43:75e3:341c:20bb%3]) with mapi id 15.20.3153.019; Tue, 30 Jun 2020 16:44:02 +0000
From: Darran Rolls <me@darranrolls.com>
To: "scim@ietf.org" <scim@ietf.org>
Thread-Topic: Notes and action items from the 6/25 interest group call
Thread-Index: AQHWTv2o8tgzrCmkyE+p53kL/8Udsg==
Date: Tue, 30 Jun 2020 16:44:02 +0000
Message-ID: <DEAEA48D-4865-44F3-B0CC-2FFE1C37C661@darranrolls.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: ietf.org; dkim=none (message not signed) header.d=none;ietf.org; dmarc=none action=none header.from=darranrolls.com;
x-originating-ip: [70.113.56.33]
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 8b2c0734-0213-475b-7a93-08d81d14cb77
x-ms-traffictypediagnostic: DM5PR1301MB1993:
x-microsoft-antispam-prvs: <DM5PR1301MB199356EE8603B7C35E49B358D96F0@DM5PR1301MB1993.namprd13.prod.outlook.com>
x-ms-oob-tlc-oobclassifiers: OLM:10000;
x-forefront-prvs: 0450A714CB
x-ms-exchange-senderadcheck: 1
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 39dyEt8ravfqnTGRB8BiBsfgvrqi34kw15RhT/Wb0Q8Ae3OadDzsd46LR1UmeuyFJeNZVwkN6ELPP8RygfRXaZnXBy5iDMBXcgWJDWT/m0xGqfldLNkckgVo1SPiVquQgKWws0qyY/vyKo90V6rsY/7g2DHbxoYaIl7CWIJJdOdYOEJgbS8VwanR8CyHx2Bs8mA//spSLyIx5y7m3N5z9hdQmVcQ/+kBO2ALo8HzBUaJLkxvq02KD57YWLJRrmbV4Oz2DEhQZ0FyM3Bn1W/oOO3IVTZR2wp5GLWLA9qPw7xuVnGlht3bbHxmr/UajSHwTaFhExVC9KIgo/kwfPs5LLvjaz2QofVmyeo0omMfJEE8XajNdirhpOawO8+WpxbVu7YvbI5pfXAdnPZy6SpgfA==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DM6PR13MB3868.namprd13.prod.outlook.com; PTR:; CAT:NONE; SFTY:; SFS:(136003)(396003)(366004)(39830400003)(346002)(376002)(2906002)(83380400001)(6916009)(316002)(966005)(45080400002)(508600001)(166002)(6512007)(6486002)(86362001)(66946007)(76116006)(26005)(91956017)(64756008)(8676002)(5660300002)(66446008)(66556008)(66476007)(186003)(71200400001)(8936002)(2616005)(36756003)(6506007)(33656002); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata: 4D3ORHtqgnfyJFFINiPjsC1/vie+DVYz1GsDqd2Rvf+Uz0+AfOtacQ3upaqb6rtFSvQL4luU7rv5Uzf1/JWW8+SJi3zd71D/GOORInpHsMEGWXGUXP0YzRK6Bpf0Ki1TRsU/AOODHx4zPDuf1t5Uphr4TOa3K/JVRGM4NnmcXNMh5ox+eHaMmQZLWEV4H6wjQfA2mNz13kmQPQpZ653nKokxaQiDh8sdcOqZOqePmMeoZILXk/ws/2/0xwhoxDlIKA7HuUpRYCYEDdZ1QcspuS68fX9KvoDf40XT70tAopWBxSy2tFIpn9ycQOsoXa3IuIt7WAF29qnSVe4In4v6AcSXSyrWKnrQ8VUll2qjhLCHrieSdCaxuHX+vE5DxYbR1N6eV3KmvELjj4KZWII7oUmwwlk1epyM7O6o8jo8Zs3veFQgxQnnh30ARY0EoTWz2jFUu/WrQslX4eoiEkCywR8WmcVTpPH0IEiDMlDzIsQ=
x-ms-exchange-transport-forked: True
Content-Type: multipart/alternative; boundary="_000_DEAEA48D486544F3B0CC2FFE1C37C661darranrollscom_"
MIME-Version: 1.0
X-OriginatorOrg: darranrolls.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: DM6PR13MB3868.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 8b2c0734-0213-475b-7a93-08d81d14cb77
X-MS-Exchange-CrossTenant-originalarrivaltime: 30 Jun 2020 16:44:02.1239 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: bbf44606-e97e-4b29-8c2e-8fa2251fbe00
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: LMQkMv6gPftZxTR5+eDBwX4gG2wtJnqWNkP/MOfQ8rg8Pl5c7l6YxMJ362rgzkDJD7GSfEvi2qEkP+3FxPgibA==
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR1301MB1993
Archived-At: <https://mailarchive.ietf.org/arch/msg/scim/LVZEkDCsZWp66HwaoOAylSqm-cs>
Subject: [scim] Notes and action items from the 6/25 interest group call
X-BeenThere: scim@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Simple Cloud Identity Management BOF <scim.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/scim>, <mailto:scim-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/scim/>
List-Post: <mailto:scim@ietf.org>
List-Help: <mailto:scim-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/scim>, <mailto:scim-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2020 16:44:07 -0000

Folks,
Thanks for attending last week’s call, here are the attendees, notes and action items.  At one point we had 23 folks on the line however I only managed to capture the attendees listed below.  If I missed your name or (more likely) mistyped its spelling,  please let me know.  By way of notes, rather than trying to capture individual comments, I have distilled a summary of the conversation instead, so if I missed anything you feel is important, please respond to this thread.
Attendees

  *   Karl McGuinness - Okta
  *   Matt Domsch - SailPoint
  *   Anthony Nadalin - Microsoft
  *   Jeremny Palenchar - Orcas Consulting
  *   Paul Logston - 15five
  *   Unni  Sarath - Staples
  *   Ryann Bradley - Okta
  *   Quint Daenen - Elimity
  *   Chris Harm — Penn State University
  *   Shawn Smith - Penn State University
  *   Brian Hanarhan - (not recorded)
  *   Paul Lantz – (not recorded)
  *   Matt Peterson - One Identity
  *   Kim McFinn - Microsoft
  *   Darin McAdmans - AWS
  *   Sam Rosin - Salesforce
  *   Phil Hunt - Independent Identity
  *   David Brossard - Salesforce
  *   Justin China- Forgerock
Summary of the Conversation

  *   There was good support for re chartering the WG, but recognition that most of the actual work would need to be done on the list beforehand.  In essence, re-chartering would be a post-work activity to ratify / formalize the resulting specification work rather than the other way around.
  *   There was lot of conversation around various operational improvements to the model and how to facilitate this new work without affecting existing implementations.  Overall the conversation leaned towards a “2.1” – an effort to deliver extensions and enhancements that would be backwards comparable.  It was duly noted that any normative change to the existing published RFC’s (outside of errata), would constitute a new draft regardless.
  *   There was good support for anything that would improve testing compliance and overall interoperability.  It was however duly noted that the IETF would likely not be the place to deliver any form of “test suite”.  That said, there was no real conclusion on where and how that would happen.
  *   There was agreement that a likely next step towards a charter would be to facilitate a SCIM BOF during IETF #108.  Attendance at this BOF would be critical in demonstrating support for re-opening the WG.
  *   As a next step, we agreed to catalog areas of potential work and try to understand who is interested to work on what.  Darran committed to start a separate list thread on “potential work items” and try to come up with a method of tracking that interest.
Action Items

  1.  Darran to reach out to the AD’s to confirm the approach (work then charter and formal WG, not the other way around) and report back to the list.
  2.  Darran to begin discussion with AD’s about holding a SCIM BOF at IETF #108 in July
  3.  Darran to start a separate thread to catalog the main buckets of work and facilitate a process such that we can gauge support for each.
Char Recording
11:22:30     From Anthony Nadalin (USA) : Here are some of my concerns
11:22:37     From Anthony Nadalin (USA) : 1.    SCIM becoming a directory protocol2.    Adding features that don’t have interoperability 3.    Bloating SCIM more that what it is already 4.    I have concerns over the Privileged management cases as there are security issues the we never took on in SCIM , like authentication
11:46:15     From Paul Logston - Principal Engineer - NYC : Agreed.
11:49:59     From Tim Cappalli : How do we generalize identity to handle users, devices, workloads, etc?
11:50:34     From Anthony Nadalin (USA) : That's a big change and a schema change
11:51:04     From Tim Cappalli : That specific example would be a 3.0 vs a 2.1
11:51:07     From Anthony Nadalin (USA) : the schema is extensible
11:55:09     From djob : I've seen SCIM as a means to query user data (similar to LDAP) so from that PoV it's not just provisioning
11:55:17     From djob : It's useful in XACML architectures
12:03:47     From Pamela Dingle : I'm really looking forward to the detailed notes here and next steps, and so glad we are moving forward!  I have to drop but very excited.
12:15:07     From Anthony Nadalin (USA) : suggest that folks looka at the SCIM drafts that have been published already
12:15:26     From Jeremy Palenchar - Orcas Consulting : Agreed Tony, II need to get up to speed on what's been done
12:16:58     From Matt : We can dramatically reduce the need for paging of multi-valued attributes by simply providing a collection that can be used instead of a multi-valued "members" attribute.  Querying group/role membership as a separate collection could make  lots or problems go away.   Not just for pagination of results, but for filtering the query.

Thanks
--
Darran Rolls
https://www.darranrolls.com
LinkedIn<https://www.linkedin.com/in/darran-rolls-068b84> @djrolls<https://twitter.com/djrolls>

v2.23.0 | Report a Bug | By Email