Anthony Nadalin
2016-04-06 12:59:29 UTC
Good question, since SCIM does not really provide an authorization model and Oauth does not do provisioning this is sort of caught in the middle, so if I had to pick I would pick Oauth as this is a generic server to server issue
From: Hardt, Dick [mailto:***@amazon.com]
Sent: Wednesday, April 6, 2016 5:52 AM
To: Anthony Nadalin <***@microsoft.com>
Cc: Gil Kirkpatrick <***@viewds.com>; Nat Sakimura <n-***@nri.co.jp>; Phil Hunt (IDM) <***@oracle.com>; ***@ietf.org; ***@ietf.org
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment
Sounds like there is interest.
SCIM or OAUTH?
-- Dick
On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <***@microsoft.com<mailto:***@microsoft.com>> wrote:
I would be interested also
Sent from my Windows 10 phone
From: Gil Kirkpatrick<mailto:***@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-***@nri.co.jp>; 'Hardt, Dick'<mailto:***@amazon.com>; 'Phil Hunt (IDM)'<mailto:***@oracle.com>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment
That's an issue we're facing as well. Definitely interested.
-gil
From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <***@amazon.com<mailto:***@amazon.com>>; 'Phil Hunt (IDM)' <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment
+1 for removing the manual cut-n-pastes!
Nat
--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] Simple Federation Deployment
I'm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.
Don't want to solve on the thread ... looking to see if there is interest!
On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org<mailto:scim-***@ietf.org> on behalf of ***@oracle.com<mailto:***@oracle.com>> wrote:
Is the idp the center of all things for these users?
Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.
Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.
Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.
The solution and the simplicity depends on where the control needs to be.
Phil
On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com<mailto:***@amazon.com>> wrote:
Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
User experience:
1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
Who else is interested in solving this?
Is there interest in working on this in either SCIM or OAUTH Wgs?
Any one in BA interested in meeting on this topic this week?
- Dick
From: Hardt, Dick [mailto:***@amazon.com]
Sent: Wednesday, April 6, 2016 5:52 AM
To: Anthony Nadalin <***@microsoft.com>
Cc: Gil Kirkpatrick <***@viewds.com>; Nat Sakimura <n-***@nri.co.jp>; Phil Hunt (IDM) <***@oracle.com>; ***@ietf.org; ***@ietf.org
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment
Sounds like there is interest.
SCIM or OAUTH?
-- Dick
On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <***@microsoft.com<mailto:***@microsoft.com>> wrote:
I would be interested also
Sent from my Windows 10 phone
From: Gil Kirkpatrick<mailto:***@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-***@nri.co.jp>; 'Hardt, Dick'<mailto:***@amazon.com>; 'Phil Hunt (IDM)'<mailto:***@oracle.com>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment
That's an issue we're facing as well. Definitely interested.
-gil
From: OAuth [mailto:oauth-***@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <***@amazon.com<mailto:***@amazon.com>>; 'Phil Hunt (IDM)' <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment
+1 for removing the manual cut-n-pastes!
Nat
--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender and delete this e-mail.
From: scim [mailto:scim-***@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <***@oracle.com<mailto:***@oracle.com>>
Cc: ***@ietf.org<mailto:***@ietf.org>; ***@ietf.org<mailto:***@ietf.org>
Subject: Re: [scim] Simple Federation Deployment
I'm talking about removing manual steps in what happens today where configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of cutting and pasting of access tokens / keys / certs and doing a bunch of config that is error prone and unique for each relationship.
Don't want to solve on the thread ... looking to see if there is interest!
On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" <scim-***@ietf.org<mailto:scim-***@ietf.org> on behalf of ***@oracle.com<mailto:***@oracle.com>> wrote:
Is the idp the center of all things for these users?
Usually you have a provisioning system that coordinates state and uses things like scim connectors to do this.
Another approach from today would be to pass a scim event to the remote provider which then decides what needs to be done to facilitate the thingd you describe.
Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to do this.
The solution and the simplicity depends on where the control needs to be.
Phil
On Apr 5, 2016, at 18:59, Hardt, Dick <***@amazon.com<mailto:***@amazon.com>> wrote:
Use case: An admin for an organization would like to enable her users to access a SaaS application at her IdP.
User experience:
1. Admin authenticates to IdP in browser
2. Admin selects SaaS app to federate with from list at IdP
3. IdP optionally presents config options
4. IdP redirects Admin to SaaS app
5. Admin authenticates to SaaS app
6. SaaS app optionally gathers config options
7. SaaS app redirects admin to IdP
8. IdP confirms successful federation => OIDC / SAML and SCIM are now configured and working between IdP and SaaS App
Who else is interested in solving this?
Is there interest in working on this in either SCIM or OAUTH Wgs?
Any one in BA interested in meeting on this topic this week?
- Dick