[OAUTH-WG] Simple Federation Deployment

Discussion:

Hardt, Dick

2016-04-05 21:59:22 UTC

Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App

Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

â Dick

Phil Hunt (IDM)

2016-04-05 22:11:16 UTC

Permalink

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

> On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com> wrote:
>
> Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
>
> User experience:
> Admin authenticates to IdP in browser
> Admin selects SaaS app to federate with from list at IdP
> IdP optionally presents config options
> IdP redirects Admin to SaaS app
> Admin authenticates to SaaS app
> SaaS app optionally gathers config options
> SaaS app redirects admin to IdP
> IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
> Who else is interested in solving this?
>
> Is there interest in working on this in either SCIM or OAUTH Wgs?
>
> Any one in BA interested in meeting on this topic this week?
>
> â Dick
> _______________________________________________
> scim mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

Hardt, Dick

2016-04-05 22:25:54 UTC

Permalink

Iâm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.

Donât want to solve on the thread âŠ looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org<mailto:scim-***@ietf.org> on behalf of ***@oracle.com<mailto:***@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com<mailto:***@amazon.com>> wrote:

Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App

Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

â Dick
_______________________________________________
scim mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/scim

Phil Hunt (IDM)

2016-04-06 05:07:58 UTC

Permalink

There may be some similar concerns on our side. Lets talk more this week.

Phil

> On Apr 5, 2016, at 19:25, Hardt, Dick <***@amazon.com> wrote:
>
> Iâm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.
>
> Donât want to solve on the thread âŠ looking to see if there is interest!
>
> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org on behalf of ***@oracle.com> wrote:
>
> Is the idp the center of all things for these users?
>
> Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.
>
> Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.
>
> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.
>
> The solution and the simplicity depends on where the control needs to be.
>
> Phil
>
> On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com> wrote:
>
>> Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
>>
>> User experience:
>> Admin authenticates to IdP in browser
>> Admin selects SaaS app to federate with from list at IdP
>> IdP optionally presents config options
>> IdP redirects Admin to SaaS app
>> Admin authenticates to SaaS app
>> SaaS app optionally gathers config options
>> SaaS app redirects admin to IdP
>> IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
>> Who else is interested in solving this?
>>
>> Is there interest in working on this in either SCIM or OAUTH Wgs?
>>
>> Any one in BA interested in meeting on this topic this week?
>>
>> â Dick
>> _______________________________________________
>> scim mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
> _______________________________________________
> scim mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/scim

Nat Sakimura

2016-04-06 06:56:56 UTC

Permalink

+1 for removing the manual cut-n-pastes!

Nat

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender and delete this e-mail.

From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <***@oracle.com>
Cc: ***@ietf.org; ***@ietf.org
Subject: Re: [scim] Simple Federation Deployment

Iâm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.

Donât want to solve on the thread âŠ looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org <mailto:scim-***@ietf.org> on behalf of ***@oracle.com <mailto:***@oracle.com> > wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com <mailto:***@amazon.com> > wrote:

Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App

Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

â Dick

Gil Kirkpatrick

2016-04-06 07:16:16 UTC

Permalink

Thatâs an issue weâre facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <***@amazon.com>; 'Phil Hunt (IDM)' <***@oracle.com>
Cc: ***@ietf.org; ***@ietf.org
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender and delete this e-mail.

From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <***@oracle.com <mailto:***@oracle.com> >
Cc: ***@ietf.org <mailto:***@ietf.org> ; ***@ietf.org <mailto:***@ietf.org>
Subject: Re: [scim] Simple Federation Deployment

Iâm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.

Donât want to solve on the thread âŠ looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org <mailto:scim-***@ietf.org> on behalf of ***@oracle.com <mailto:***@oracle.com> > wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com <mailto:***@amazon.com> > wrote:

Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App

Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

â Dick

Anthony Nadalin

2016-04-06 11:57:42 UTC

Permalink

I would be interested also

Sent from my Windows 10 phone

From: Gil Kirkpatrick<mailto:***@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-***@nri.co.jp>; 'Hardt, Dick'<mailto:***@amazon.com>; 'Phil Hunt (IDM)'<mailto:***@oracle.com>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

That's an issue we're facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <***@amazon.com>; 'Phil Hunt (IDM)' <***@oracle.com>
Cc: ***@ietf.org; ***@ietf.org
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.

From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] Simple Federation Deployment

I'm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.

Don't want to solve on the thread ... looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org<mailto:scim-***@ietf.org> on behalf of ***@oracle.com<mailto:***@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com<mailto:***@amazon.com>> wrote:
Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

- Dick

Hardt, Dick

2016-04-06 12:52:15 UTC

Permalink

Sounds like there is interest.

SCIM or OAUTH?

-- Dick

On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <***@microsoft.com<mailto:***@microsoft.com>> wrote:

I would be interested also

Sent from my Windows 10 phone

From: Gil Kirkpatrick<mailto:***@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-***@nri.co.jp>; 'Hardt, Dick'<mailto:***@amazon.com>; 'Phil Hunt (IDM)'<mailto:***@oracle.com>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

That's an issue we're facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <***@amazon.com<mailto:***@amazon.com>>; 'Phil Hunt (IDM)' <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.

From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] Simple Federation Deployment

I'm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.

Don't want to solve on the thread ... looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org<mailto:scim-***@ietf.org> on behalf of ***@oracle.com<mailto:***@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com<mailto:***@amazon.com>> wrote:
Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

- Dick

Phil Hunt

2016-04-06 13:01:48 UTC

Permalink

I think it is worth discussing in oauth wg.

While SCIM has issues, I think it represents a broader use case that other applications have that are deployed widely.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>***@oracle.com <mailto:***@oracle.com>

> On Apr 6, 2016, at 9:52 AM, Hardt, Dick <***@amazon.com> wrote:
>
> Sounds like there is interest.
>
> SCIM or OAUTH?
>
> -- Dick
>
> On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <***@microsoft.com <mailto:***@microsoft.com>> wrote:
>
>> I would be interested also
>>
>> Sent from my Windows 10 phone
>>
>> From: Gil Kirkpatrick <mailto:***@viewds.com>
>> Sent: Wednesday, April 6, 2016 4:16 AM
>> To: 'Nat Sakimura' <mailto:n-***@nri.co.jp>; 'Hardt, Dick' <mailto:***@amazon.com>; 'Phil Hunt (IDM)' <mailto:***@oracle.com>
>> Cc: ***@ietf.org <mailto:***@ietf.org>; ***@ietf.org <mailto:***@ietf.org>
>> Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment
>>
>> Thatâs an issue weâre facing as well. Definitely interested.
>>
>> -gil
>>
>> From: OAuth [mailto:oauth-***@ietf.org <mailto:oauth-***@ietf.org>] On Behalf Of Nat Sakimura
>> Sent: Wednesday, April 6, 2016 4:57 PM
>> To: 'Hardt, Dick' <***@amazon.com <mailto:***@amazon.com>>; 'Phil Hunt (IDM)' <***@oracle.com <mailto:***@oracle.com>>
>> Cc: ***@ietf.org <mailto:***@ietf.org>; ***@ietf.org <mailto:***@ietf.org>
>> Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment
>>
>> +1 for removing the manual cut-n-pastes! <>
>>
>> Nat
>>
>> --
>> PLEASE READ :This e-mail is confidential and intended for the
>> named recipient only. If you are not an intended recipient,
>> please notify the sender and delete this e-mail.
>>
>> From: scim [mailto:scim-***@ietf.org <mailto:scim-***@ietf.org>] On Behalf Of Hardt, Dick
>> Sent: Wednesday, April 6, 2016 7:26 AM
>> To: Phil Hunt (IDM) <***@oracle.com <mailto:***@oracle.com>>
>> Cc: ***@ietf.org <mailto:***@ietf.org>; ***@ietf.org <mailto:***@ietf.org>
>> Subject: Re: [scim] Simple Federation Deployment
>>
>> Iâm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.
>>
>> Donât want to solve on the thread âŠ looking to see if there is interest!
>>
>> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org <mailto:scim-***@ietf.org> on behalf of ***@oracle.com <mailto:***@oracle.com>> wrote:
>>
>> Is the idp the center of all things for these users?
>>
>> Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.
>>
>> Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.
>>
>> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.
>>
>> The solution and the simplicity depends on where the control needs to be.
>>
>> Phil
>>
>> On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com <mailto:***@amazon.com>> wrote:
>>
>> Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
>>
>> User experience:
>> Admin authenticates to IdP in browser
>> Admin selects SaaS app to federate with from list at IdP
>> IdP optionally presents config options
>> IdP redirects Admin to SaaS app
>> Admin authenticates to SaaS app
>> SaaS app optionally gathers config options
>> SaaS app redirects admin to IdP
>> IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
>> Who else is interested in solving this?
>>
>> Is there interest in working on this in either SCIM or OAUTH Wgs?
>>
>> Any one in BA interested in meeting on this topic this week?
>>
>> â Dick
>> _______________________________________________
>> scim mailing list
>> ***@ietf.org <mailto:***@ietf.org>
>> https://www.ietf.org/mailman/listinfo/scim <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim&data=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>

Mike Jones

2016-04-06 22:14:09 UTC

Permalink

For the record, Iâm interested.

From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Tuesday, April 5, 2016 7:26 PM
To: Phil Hunt (IDM) <***@oracle.com>
Cc: ***@ietf.org; ***@ietf.org
Subject: Re: [scim] Simple Federation Deployment

Iâm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.

Donât want to solve on the thread âŠ looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org<mailto:scim-***@ietf.org> on behalf of ***@oracle.com<mailto:***@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com<mailto:***@amazon.com>> wrote:
Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.

User experience:

1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

â Dick
_______________________________________________
scim mailing list
***@ietf.org<mailto:***@ietf.org>
https://www.ietf.org/mailman/listinfo/scim

Nov Matake

2016-04-06 23:17:58 UTC

Permalink

I'm interested in too.

nov

> On Apr 7, 2016, at 07:14, Mike Jones <***@microsoft.com> wrote:
>
> For the record, Ifm interested.
>
> From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
> Sent: Tuesday, April 5, 2016 7:26 PM
> To: Phil Hunt (IDM) <***@oracle.com>
> Cc: ***@ietf.org; ***@ietf.org
> Subject: Re: [scim] Simple Federation Deployment
>
> Ifm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.
>
> Donft want to solve on the thread c looking to see if there is interest!
>
> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org on behalf of ***@oracle.com> wrote:
>
> Is the idp the center of all things for these users?
>
> Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.
>
> Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.
>
> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.
>
> The solution and the simplicity depends on where the control needs to be.
>
> Phil
>
> On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com> wrote:
>
> Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
>
> User experience:
> Admin authenticates to IdP in browser
> Admin selects SaaS app to federate with from list at IdP
> IdP optionally presents config options
> IdP redirects Admin to SaaS app
> Admin authenticates to SaaS app
> SaaS app optionally gathers config options
> SaaS app redirects admin to IdP
> IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
> Who else is interested in solving this?
>
> Is there interest in working on this in either SCIM or OAUTH Wgs?
>
> Any one in BA interested in meeting on this topic this week?
>
> \ Dick
> _______________________________________________
> scim mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

Roland Hedberg

2016-04-07 07:59:28 UTC

Permalink

Count me in !

> 7 apr. 2016 kl. 01:17 skrev Nov Matake <***@gmail.com>:
>
> I'm interested in too.
>
> nov
>
> On Apr 7, 2016, at 07:14, Mike Jones <***@microsoft.com> wrote:
>
>> For the record, I’m interested.
>>
>> From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
>> Sent: Tuesday, April 5, 2016 7:26 PM
>> To: Phil Hunt (IDM) <***@oracle.com>
>> Cc: ***@ietf.org; ***@ietf.org
>> Subject: Re: [scim] Simple Federation Deployment
>>
>> I’m talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.
>>
>> Don’t want to solve on the thread … looking to see if there is interest!
>>
>> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org on behalf ***@oracle.com> wrote:
>>
>> Is the idp the center of all things for these users?
>>
>> Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.
>>
>> Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.
>>
>> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.
>>
>> The solution and the simplicity depends on where the control needs to be.
>>
>> Phil
>>
>> On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com> wrote:
>>
>> Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
>>
>> User experience:
>> • Admin authenticates to IdP in browser
>> • Admin selects SaaS app to federate with from list at IdP
>> • IdP optionally presents config options
>> • IdP redirects Admin to SaaS app
>> • Admin authenticates to SaaS app
>> • SaaS app optionally gathers config options
>> • SaaS app redirects admin to IdP
>> • IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
>> Who else is interested in solving this?
>>
>> Is there interest in working on this in either SCIM or OAUTH Wgs?
>>
>> Any one in BA interested in meeting on this topic this week?
>>
>> — Dick
>> _______________________________________________
>> scim mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>> _______________________________________________
>> OAuth mailing list
>> ***@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark Twain

Ian Glazer

2016-04-06 21:20:22 UTC

Permalink

I'd be interested too

On Tue, Apr 5, 2016 at 5:59 PM, Hardt, Dick <***@amazon.com> wrote:

> Use case: An admin for an organization would like to enable her users to
> access a SaaS application at her IdP.
>
> User experience:
>
> 1. Admin authenticates to IdP in browser
> 2. Admin selects SaaS app to federate with from list at IdP
> 3. IdP optionally presents config options
> 4. IdP redirects Admin to SaaS app
> 5. Admin authenticates to SaaS app
> 6. SaaS app optionally gathers config options
> 7. SaaS app redirects admin to IdP
> 8. IdP confirms successful federation => OIDC / SAML and SCIM are now
> configured and working between IdP and SaaS App
>
> Who else is interested in solving this?
>
> Is there interest in working on this in either SCIM or OAUTH Wgs?
>
> Any one in BA interested in meeting on this topic this week?
>
> â Dick
>
> _______________________________________________
> scim mailing list
> ***@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
>
>

--
Ian Glazer
Senior Director, Identity
+1 202 255 3166
@iglazer <https://twitter.com/iglazer>