Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Roland Hedberg]

Count me in !

> 7 apr. 2016 kl. 01:17 skrev Nov Matake :
> 
> I'm interested in too.
> 
> nov
> 
> On Apr 7, 2016, at 07:14, Mike Jones  wrote:
> 
>> For the record, I’m interested.
>>  
>> From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
>> Sent: Tuesday, April 5, 2016 7:26 PM
>> To: Phil Hunt (IDM) 
>> Cc: s...@ietf.org; oauth@ietf.org
>> Subject: Re: [scim] Simple Federation Deployment
>>  
>> I’m talking about removing manual steps in what happens today where 
>> configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) 
>> requires is a bunch of cutting and pasting of access tokens / keys / certs 
>> and doing a bunch of  config that is error prone and unique for each 
>> relationship.
>>  
>> Don’t want to solve on the thread … looking to see if there is interest!
>>  
>> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt 
>> (IDM)"  wrote:
>>  
>> Is the idp the center of all things for these users?
>>  
>> Usually you have a provisioning system that coordinates state and uses 
>> things like scim connectors to do this. 
>>  
>> Another approach from today would be to pass a scim event to the remote 
>> provider which then decides what needs to be done to facilitate the thingd 
>> you describe. 
>>  
>> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system 
>> to do this. 
>>  
>> The solution and the simplicity depends on where the control needs to be. 
>> 
>> Phil
>> 
>> On Apr 5, 2016, at 18:59, Hardt, Dick  wrote:
>> 
>> Use case: An admin for an organization would like to enable her users to 
>> access a SaaS application at her IdP. 
>>  
>> User experience: 
>>  • Admin authenticates to IdP in browser
>>  • Admin selects SaaS app to federate with from list at IdP
>>  • IdP optionally presents config options
>>  • IdP redirects Admin to SaaS app
>>  • Admin authenticates to SaaS app
>>  • SaaS app optionally gathers config options
>>  • SaaS app redirects admin to IdP
>>  • IdP confirms successful federation => OIDC / SAML and SCIM are now 
>> configured and working between IdP and SaaS App
>> Who else is interested in solving this?
>>  
>> Is there interest in working on this in either SCIM or OAUTH Wgs?
>>  
>> Any one in BA interested in meeting on this topic this week?
>>  
>> — Dick
>> ___
>> scim mailing list
>> s...@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
>> ___
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- Roland
"Education is the path from cocky ignorance to miserable uncertainty.” - Mark 
Twain



___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Nov Matake]

I'm interested in too.

nov

> On Apr 7, 2016, at 07:14, Mike Jones  wrote:
> 
> For the record, I’m interested.
>  
> From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
> Sent: Tuesday, April 5, 2016 7:26 PM
> To: Phil Hunt (IDM) 
> Cc: s...@ietf.org; oauth@ietf.org
> Subject: Re: [scim] Simple Federation Deployment
>  
> I’m talking about removing manual steps in what happens today where 
> configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires 
> is a bunch of cutting and pasting of access tokens / keys / certs and doing a 
> bunch of  config that is error prone and unique for each relationship.
>  
> Don’t want to solve on the thread … looking to see if there is interest!
>  
> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt 
> (IDM)"  wrote:
>  
> Is the idp the center of all things for these users?
>  
> Usually you have a provisioning system that coordinates state and uses things 
> like scim connectors to do this. 
>  
> Another approach from today would be to pass a scim event to the remote 
> provider which then decides what needs to be done to facilitate the thingd 
> you describe. 
>  
> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system 
> to do this. 
>  
> The solution and the simplicity depends on where the control needs to be. 
> 
> Phil
> 
> On Apr 5, 2016, at 18:59, Hardt, Dick  wrote:
> 
> Use case: An admin for an organization would like to enable her users to 
> access a SaaS application at her IdP. 
>  
> User experience: 
> Admin authenticates to IdP in browser
> Admin selects SaaS app to federate with from list at IdP
> IdP optionally presents config options
> IdP redirects Admin to SaaS app
> Admin authenticates to SaaS app
> SaaS app optionally gathers config options
> SaaS app redirects admin to IdP
> IdP confirms successful federation => OIDC / SAML and SCIM are now configured 
> and working between IdP and SaaS App
> Who else is interested in solving this?
>  
> Is there interest in working on this in either SCIM or OAUTH Wgs?
>  
> Any one in BA interested in meeting on this topic this week?
>  
> ― Dick
> ___
> scim mailing list
> s...@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Mike Jones]

For the record, I’m interested.

From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
Sent: Tuesday, April 5, 2016 7:26 PM
To: Phil Hunt (IDM) 
Cc: s...@ietf.org; oauth@ietf.org
Subject: Re: [scim] Simple Federation Deployment

I’m talking about removing manual steps in what happens today where configuring 
a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of 
cutting and pasting of access tokens / keys / certs and doing a bunch of  
config that is error prone and unique for each relationship.

Don’t want to solve on the thread … looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" 
 on behalf of 
phil.h...@oracle.com> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick > 
wrote:
Use case: An admin for an organization would like to enable her users to access 
a SaaS application at her IdP.

User experience:

  1.  Admin authenticates to IdP in browser
  2.  Admin selects SaaS app to federate with from list at IdP
  3.  IdP optionally presents config options
  4.  IdP redirects Admin to SaaS app
  5.  Admin authenticates to SaaS app
  6.  SaaS app optionally gathers config options
  7.  SaaS app redirects admin to IdP
  8.  IdP confirms successful federation => OIDC / SAML and SCIM are now 
configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

— Dick
___
scim mailing list
s...@ietf.org
https://www.ietf.org/mailman/listinfo/scim
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Ian Glazer]

I'd be interested too

On Tue, Apr 5, 2016 at 5:59 PM, Hardt, Dick  wrote:

> Use case: An admin for an organization would like to enable her users to
> access a SaaS application at her IdP.
>
> User experience:
>
>1. Admin authenticates to IdP in browser
>2. Admin selects SaaS app to federate with from list at IdP
>3. IdP optionally presents config options
>4. IdP redirects Admin to SaaS app
>5. Admin authenticates to SaaS app
>6. SaaS app optionally gathers config options
>7. SaaS app redirects admin to IdP
>8. IdP confirms successful federation => OIDC / SAML and SCIM are now
>configured and working between IdP and SaaS App
>
> Who else is interested in solving this?
>
> Is there interest in working on this in either SCIM or OAUTH Wgs?
>
> Any one in BA interested in meeting on this topic this week?
>
> — Dick
>
> ___
> scim mailing list
> s...@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
>
>


-- 
Ian Glazer
Senior Director, Identity
+1 202 255 3166
@iglazer 
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

[Brian Campbell]

OpenID ... ?

On Wed, Apr 6, 2016 at 9:59 AM, Anthony Nadalin <tony...@microsoft.com>
wrote:

> Good question, since SCIM does not really provide an authorization model
> and Oauth does not do provisioning this is sort of caught in the middle, so
> if I had to pick I would pick Oauth as this is a generic server to server
> issue
>
>
>
> *From:* Hardt, Dick [mailto:d...@amazon.com]
> *Sent:* Wednesday, April 6, 2016 5:52 AM
> *To:* Anthony Nadalin <tony...@microsoft.com>
> *Cc:* Gil Kirkpatrick <gil.kirkpatr...@viewds.com>; Nat Sakimura <
> n-sakim...@nri.co.jp>; Phil Hunt (IDM) <phil.h...@oracle.com>;
> s...@ietf.org; oauth@ietf.org
> *Subject:* Re: [scim] [OAUTH-WG] Simple Federation Deployment
>
>
>
> Sounds like there is interest.
>
>
>
> SCIM or OAUTH?
>
> -- Dick
>
>
> On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <tony...@microsoft.com> wrote:
>
> I would be interested also
>
>
>
> Sent from my Windows 10 phone
>
>
>
> *From: *Gil Kirkpatrick <gil.kirkpatr...@viewds.com>
> *Sent: *Wednesday, April 6, 2016 4:16 AM
> *To: *'Nat Sakimura' <n-sakim...@nri.co.jp>; 'Hardt, Dick'
> <d...@amazon.com>; 'Phil Hunt (IDM)' <phil.h...@oracle.com>
> *Cc: *s...@ietf.org; oauth@ietf.org
> *Subject: *Re: [scim] [OAUTH-WG] Simple Federation Deployment
>
>
>
> That’s an issue we’re facing as well. Definitely interested.
>
>
>
> -gil
>
>
>
> *From:* OAuth [mailto:oauth-boun...@ietf.org <oauth-boun...@ietf.org>] *On
> Behalf Of *Nat Sakimura
> *Sent:* Wednesday, April 6, 2016 4:57 PM
> *To:* 'Hardt, Dick' <d...@amazon.com>; 'Phil Hunt (IDM)' <
> phil.h...@oracle.com>
> *Cc:* s...@ietf.org; oauth@ietf.org
> *Subject:* Re: [OAUTH-WG] [scim] Simple Federation Deployment
>
>
>
> +1 for removing the manual cut-n-pastes!
>
>
>
> Nat
>
>
>
> --
>
> PLEASE READ :This e-mail is confidential and intended for the
>
> named recipient only. If you are not an intended recipient,
>
> please notify the sender  and delete this e-mail.
>
>
>
> *From:* scim [mailto:scim-boun...@ietf.org <scim-boun...@ietf.org>] *On
> Behalf Of *Hardt, Dick
> *Sent:* Wednesday, April 6, 2016 7:26 AM
> *To:* Phil Hunt (IDM) <phil.h...@oracle.com>
> *Cc:* s...@ietf.org; oauth@ietf.org
> *Subject:* Re: [scim] Simple Federation Deployment
>
>
>
> I’m talking about removing manual steps in what happens today where
> configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa)
> requires is a bunch of cutting and pasting of access tokens / keys / certs
> and doing a bunch of  config that is error prone and unique for each
> relationship.
>
>
>
> Don’t want to solve on the thread … looking to see if there is interest!
>
>
>
> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt
> (IDM)" <scim-boun...@ietf.org on behalf of phil.h...@oracle.com> wrote:
>
>
>
> Is the idp the center of all things for these users?
>
>
>
> Usually you have a provisioning system that coordinates state and uses
> things like scim connectors to do this.
>
>
>
> Another approach from today would be to pass a scim event to the remote
> provider which then decides what needs to be done to facilitate the thingd
> you describe.
>
>
>
> Iow. Either the idp (sender) or the sp (receiver) have a provisioning
> system to do this.
>
>
>
> The solution and the simplicity depends on where the control needs to be.
>
> Phil
>
>
> On Apr 5, 2016, at 18:59, Hardt, Dick <d...@amazon.com> wrote:
>
> Use case: An admin for an organization would like to enable her users to
> access a SaaS application at her IdP.
>
>
>
> User experience:
>
>1. Admin authenticates to IdP in browser
>2. Admin selects SaaS app to federate with from list at IdP
>3. IdP optionally presents config options
>4. IdP redirects Admin to SaaS app
>5. Admin authenticates to SaaS app
>6. SaaS app optionally gathers config options
>7. SaaS app redirects admin to IdP
>8. IdP confirms successful federation => OIDC / SAML and SCIM are now
>configured and working between IdP and SaaS App
>
> Who else is interested in solving this?
>
>
>
> Is there interest in working on this in either SCIM or OAUTH Wgs?
>
>
>
> Any one in BA interested in meeting on this topic this week?
>
>
>
> — Dick
>
> ___
> scim mailing list
> s...@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Phil Hunt]

I think it is worth discussing in oauth wg.

While SCIM has issues, I think it represents a broader use case that other 
applications have that are deployed widely.

Phil

@independentid
www.independentid.com <http://www.independentid.com/>phil.h...@oracle.com 
<mailto:phil.h...@oracle.com>





> On Apr 6, 2016, at 9:52 AM, Hardt, Dick <d...@amazon.com> wrote:
> 
> Sounds like there is interest.
> 
> SCIM or OAUTH?
> 
> -- Dick
> 
> On Apr 6, 2016, at 8:57 AM, Anthony Nadalin <tony...@microsoft.com 
> <mailto:tony...@microsoft.com>> wrote:
> 
>> I would be interested also
>>  
>> Sent from my Windows 10 phone
>>  
>> From: Gil Kirkpatrick <mailto:gil.kirkpatr...@viewds.com>
>> Sent: Wednesday, April 6, 2016 4:16 AM
>> To: 'Nat Sakimura' <mailto:n-sakim...@nri.co.jp>; 'Hardt, Dick' 
>> <mailto:d...@amazon.com>; 'Phil Hunt (IDM)' <mailto:phil.h...@oracle.com>
>> Cc: s...@ietf.org <mailto:s...@ietf.org>; oauth@ietf.org 
>> <mailto:oauth@ietf.org>
>> Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment
>>  
>> That’s an issue we’re facing as well. Definitely interested.
>>  
>> -gil
>>  
>> From: OAuth [mailto:oauth-boun...@ietf.org <mailto:oauth-boun...@ietf.org>] 
>> On Behalf Of Nat Sakimura
>> Sent: Wednesday, April 6, 2016 4:57 PM
>> To: 'Hardt, Dick' <d...@amazon.com <mailto:d...@amazon.com>>; 'Phil Hunt 
>> (IDM)' <phil.h...@oracle.com <mailto:phil.h...@oracle.com>>
>> Cc: s...@ietf.org <mailto:s...@ietf.org>; oauth@ietf.org 
>> <mailto:oauth@ietf.org>
>> Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment
>>  
>> +1 for removing the manual cut-n-pastes! <>
>>  
>> Nat
>>  
>> --
>> PLEASE READ :This e-mail is confidential and intended for the
>> named recipient only. If you are not an intended recipient,
>> please notify the sender  and delete this e-mail.
>>  
>> From: scim [mailto:scim-boun...@ietf.org <mailto:scim-boun...@ietf.org>] On 
>> Behalf Of Hardt, Dick
>> Sent: Wednesday, April 6, 2016 7:26 AM
>> To: Phil Hunt (IDM) <phil.h...@oracle.com <mailto:phil.h...@oracle.com>>
>> Cc: s...@ietf.org <mailto:s...@ietf.org>; oauth@ietf.org 
>> <mailto:oauth@ietf.org>
>> Subject: Re: [scim] Simple Federation Deployment
>>  
>> I’m talking about removing manual steps in what happens today where 
>> configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) 
>> requires is a bunch of cutting and pasting of access tokens / keys / certs 
>> and doing a bunch of  config that is error prone and unique for each 
>> relationship.
>>  
>> Don’t want to solve on the thread … looking to see if there is interest!
>>  
>> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt 
>> (IDM)" <scim-boun...@ietf.org <mailto:scim-boun...@ietf.org> on behalf of 
>> phil.h...@oracle.com <mailto:phil.h...@oracle.com>> wrote:
>>  
>> Is the idp the center of all things for these users?
>>  
>> Usually you have a provisioning system that coordinates state and uses 
>> things like scim connectors to do this. 
>>  
>> Another approach from today would be to pass a scim event to the remote 
>> provider which then decides what needs to be done to facilitate the thingd 
>> you describe. 
>>  
>> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system 
>> to do this. 
>>  
>> The solution and the simplicity depends on where the control needs to be. 
>> 
>> Phil
>> 
>> On Apr 5, 2016, at 18:59, Hardt, Dick <d...@amazon.com 
>> <mailto:d...@amazon.com>> wrote:
>> 
>> Use case: An admin for an organization would like to enable her users to 
>> access a SaaS application at her IdP. 
>>  
>> User experience: 
>> Admin authenticates to IdP in browser
>> Admin selects SaaS app to federate with from list at IdP
>> IdP optionally presents config options
>> IdP redirects Admin to SaaS app
>> Admin authenticates to SaaS app
>> SaaS app optionally gathers config options
>> SaaS app redirects admin to IdP
>> IdP confirms successful federation => OIDC / SAML and SCIM are now 
>> configured and working between IdP and SaaS App
>> Who else is interested in solving this?
>>  
>> Is there interest in working on this in either SCIM or OAUTH Wgs?
>>  
>> Any one in BA interested in meeting on this topic this week?
>>  
>> — Dick
>> ___
>> scim mailing list
>> s...@ietf.org <mailto:s...@ietf.org>
>> https://www.ietf.org/mailman/listinfo/scim 
>> <https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

[Anthony Nadalin]

Good question, since SCIM does not really provide an authorization model and 
Oauth does not do provisioning this is sort of caught in the middle, so if I 
had to pick I would pick Oauth as this is a generic server to server issue

From: Hardt, Dick [mailto:d...@amazon.com]
Sent: Wednesday, April 6, 2016 5:52 AM
To: Anthony Nadalin <tony...@microsoft.com>
Cc: Gil Kirkpatrick <gil.kirkpatr...@viewds.com>; Nat Sakimura 
<n-sakim...@nri.co.jp>; Phil Hunt (IDM) <phil.h...@oracle.com>; s...@ietf.org; 
oauth@ietf.org
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

Sounds like there is interest.

SCIM or OAUTH?

-- Dick

On Apr 6, 2016, at 8:57 AM, Anthony Nadalin 
<tony...@microsoft.com<mailto:tony...@microsoft.com>> wrote:
I would be interested also

Sent from my Windows 10 phone

From: Gil Kirkpatrick<mailto:gil.kirkpatr...@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-sakim...@nri.co.jp>; 'Hardt, 
Dick'<mailto:d...@amazon.com>; 'Phil Hunt (IDM)'<mailto:phil.h...@oracle.com>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

That's an issue we're facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <d...@amazon.com<mailto:d...@amazon.com>>; 'Phil Hunt (IDM)' 
<phil.h...@oracle.com<mailto:phil.h...@oracle.com>>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <phil.h...@oracle.com<mailto:phil.h...@oracle.com>>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [scim] Simple Federation Deployment

I'm talking about removing manual steps in what happens today where configuring 
a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of 
cutting and pasting of access tokens / keys / certs and doing a bunch of  
config that is error prone and unique for each relationship.

Don't want to solve on the thread ... looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" 
<scim-boun...@ietf.org<mailto:scim-boun...@ietf.org> on behalf of 
phil.h...@oracle.com<mailto:phil.h...@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <d...@amazon.com<mailto:d...@amazon.com>> 
wrote:
Use case: An admin for an organization would like to enable her users to access 
a SaaS application at her IdP.

User experience:

  1.  Admin authenticates to IdP in browser
  2.  Admin selects SaaS app to federate with from list at IdP
  3.  IdP optionally presents config options
  4.  IdP redirects Admin to SaaS app
  5.  Admin authenticates to SaaS app
  6.  SaaS app optionally gathers config options
  7.  SaaS app redirects admin to IdP
  8.  IdP confirms successful federation => OIDC / SAML and SCIM are now 
configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

- Dick
___
scim mailing list
s...@ietf.org<mailto:s...@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Anthony Nadalin]

I would be interested also

Sent from my Windows 10 phone

From: Gil Kirkpatrick<mailto:gil.kirkpatr...@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-sakim...@nri.co.jp>; 'Hardt, 
Dick'<mailto:d...@amazon.com>; 'Phil Hunt (IDM)'<mailto:phil.h...@oracle.com>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

That's an issue we're facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <d...@amazon.com>; 'Phil Hunt (IDM)' <phil.h...@oracle.com>
Cc: s...@ietf.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <phil.h...@oracle.com<mailto:phil.h...@oracle.com>>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [scim] Simple Federation Deployment

I'm talking about removing manual steps in what happens today where configuring 
a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of 
cutting and pasting of access tokens / keys / certs and doing a bunch of  
config that is error prone and unique for each relationship.

Don't want to solve on the thread ... looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" 
<scim-boun...@ietf.org<mailto:scim-boun...@ietf.org> on behalf of 
phil.h...@oracle.com<mailto:phil.h...@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <d...@amazon.com<mailto:d...@amazon.com>> 
wrote:
Use case: An admin for an organization would like to enable her users to access 
a SaaS application at her IdP.

User experience:

  1.  Admin authenticates to IdP in browser
  2.  Admin selects SaaS app to federate with from list at IdP
  3.  IdP optionally presents config options
  4.  IdP redirects Admin to SaaS app
  5.  Admin authenticates to SaaS app
  6.  SaaS app optionally gathers config options
  7.  SaaS app redirects admin to IdP
  8.  IdP confirms successful federation => OIDC / SAML and SCIM are now 
configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

- Dick
___
scim mailing list
s...@ietf.org<mailto:s...@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Gil Kirkpatrick]

That’s an issue we’re facing as well. Definitely interested.

 

-gil

 

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <d...@amazon.com>; 'Phil Hunt (IDM)' <phil.h...@oracle.com>
Cc: s...@ietf.org; oauth@ietf.org
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

 

+1 for removing the manual cut-n-pastes!

 

Nat

 

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <phil.h...@oracle.com <mailto:phil.h...@oracle.com> >
Cc: s...@ietf.org <mailto:s...@ietf.org> ; oauth@ietf.org 
<mailto:oauth@ietf.org> 
Subject: Re: [scim] Simple Federation Deployment

 

I’m talking about removing manual steps in what happens today where configuring 
a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of 
cutting and pasting of access tokens / keys / certs and doing a bunch of  
config that is error prone and unique for each relationship.

 

Don’t want to solve on the thread … looking to see if there is interest!

 

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" 
<scim-boun...@ietf.org <mailto:scim-boun...@ietf.org>  on behalf of 
phil.h...@oracle.com <mailto:phil.h...@oracle.com> > wrote:

 

Is the idp the center of all things for these users?

 

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this. 

 

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe. 

 

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this. 

 

The solution and the simplicity depends on where the control needs to be. 

Phil


On Apr 5, 2016, at 18:59, Hardt, Dick <d...@amazon.com <mailto:d...@amazon.com> 
> wrote:

Use case: An admin for an organization would like to enable her users to access 
a SaaS application at her IdP. 

 

User experience: 

1.  Admin authenticates to IdP in browser
2.  Admin selects SaaS app to federate with from list at IdP
3.  IdP optionally presents config options
4.  IdP redirects Admin to SaaS app
5.  Admin authenticates to SaaS app
6.  SaaS app optionally gathers config options
7.  SaaS app redirects admin to IdP
8.  IdP confirms successful federation => OIDC / SAML and SCIM are now 
configured and working between IdP and SaaS App

Who else is interested in solving this?

 

Is there interest in working on this in either SCIM or OAUTH Wgs?

 

Any one in BA interested in meeting on this topic this week?

 

— Dick

___
scim mailing list
s...@ietf.org <mailto:s...@ietf.org> 
https://www.ietf.org/mailman/listinfo/scim

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Nat Sakimura]

+1 for removing the manual cut-n-pastes!

 

Nat

 

--

PLEASE READ :This e-mail is confidential and intended for the

named recipient only. If you are not an intended recipient,

please notify the sender  and delete this e-mail.

 

From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) 
Cc: s...@ietf.org; oauth@ietf.org
Subject: Re: [scim] Simple Federation Deployment

 

I’m talking about removing manual steps in what happens today where configuring 
a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of 
cutting and pasting of access tokens / keys / certs and doing a bunch of  
config that is error prone and unique for each relationship.

 

Don’t want to solve on the thread … looking to see if there is interest!

 

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" 
  on behalf of 
phil.h...@oracle.com  > wrote:

 

Is the idp the center of all things for these users?

 

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this. 

 

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe. 

 

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this. 

 

The solution and the simplicity depends on where the control needs to be. 

Phil


On Apr 5, 2016, at 18:59, Hardt, Dick  
> wrote:

Use case: An admin for an organization would like to enable her users to access 
a SaaS application at her IdP. 

 

User experience: 

1.  Admin authenticates to IdP in browser
2.  Admin selects SaaS app to federate with from list at IdP
3.  IdP optionally presents config options
4.  IdP redirects Admin to SaaS app
5.  Admin authenticates to SaaS app
6.  SaaS app optionally gathers config options
7.  SaaS app redirects admin to IdP
8.  IdP confirms successful federation => OIDC / SAML and SCIM are now 
configured and working between IdP and SaaS App

Who else is interested in solving this?

 

Is there interest in working on this in either SCIM or OAUTH Wgs?

 

Any one in BA interested in meeting on this topic this week?

 

— Dick

___
scim mailing list
s...@ietf.org  
https://www.ietf.org/mailman/listinfo/scim

___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Phil Hunt (IDM)]

There may be some similar concerns on our side. Lets talk more this week. 

Phil

> On Apr 5, 2016, at 19:25, Hardt, Dick  wrote:
> 
> I’m talking about removing manual steps in what happens today where 
> configuring a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires 
> is a bunch of cutting and pasting of access tokens / keys / certs and doing a 
> bunch of  config that is error prone and unique for each relationship.
> 
> Don’t want to solve on the thread … looking to see if there is interest!
> 
> On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt 
> (IDM)"  wrote:
> 
> Is the idp the center of all things for these users?
> 
> Usually you have a provisioning system that coordinates state and uses things 
> like scim connectors to do this. 
> 
> Another approach from today would be to pass a scim event to the remote 
> provider which then decides what needs to be done to facilitate the thingd 
> you describe. 
> 
> Iow. Either the idp (sender) or the sp (receiver) have a provisioning system 
> to do this. 
> 
> The solution and the simplicity depends on where the control needs to be. 
> 
> Phil
> 
> On Apr 5, 2016, at 18:59, Hardt, Dick  wrote:
> 
>> Use case: An admin for an organization would like to enable her users to 
>> access a SaaS application at her IdP. 
>> 
>> User experience: 
>> Admin authenticates to IdP in browser
>> Admin selects SaaS app to federate with from list at IdP
>> IdP optionally presents config options
>> IdP redirects Admin to SaaS app
>> Admin authenticates to SaaS app
>> SaaS app optionally gathers config options
>> SaaS app redirects admin to IdP
>> IdP confirms successful federation => OIDC / SAML and SCIM are now 
>> configured and working between IdP and SaaS App
>> Who else is interested in solving this?
>> 
>> Is there interest in working on this in either SCIM or OAUTH Wgs?
>> 
>> Any one in BA interested in meeting on this topic this week?
>> 
>> — Dick
>> ___
>> scim mailing list
>> s...@ietf.org
>> https://www.ietf.org/mailman/listinfo/scim
> ___
> scim mailing list
> s...@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] [scim] Simple Federation Deployment

[Phil Hunt (IDM)]

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this. 

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe. 

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this. 

The solution and the simplicity depends on where the control needs to be. 

Phil

> On Apr 5, 2016, at 18:59, Hardt, Dick  wrote:
> 
> Use case: An admin for an organization would like to enable her users to 
> access a SaaS application at her IdP. 
> 
> User experience: 
> Admin authenticates to IdP in browser
> Admin selects SaaS app to federate with from list at IdP
> IdP optionally presents config options
> IdP redirects Admin to SaaS app
> Admin authenticates to SaaS app
> SaaS app optionally gathers config options
> SaaS app redirects admin to IdP
> IdP confirms successful federation => OIDC / SAML and SCIM are now configured 
> and working between IdP and SaaS App
> Who else is interested in solving this?
> 
> Is there interest in working on this in either SCIM or OAUTH Wgs?
> 
> Any one in BA interested in meeting on this topic this week?
> 
> — Dick
> ___
> scim mailing list
> s...@ietf.org
> https://www.ietf.org/mailman/listinfo/scim
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth