Re: [OAUTH-WG] [scim] Simple Federation Deployment server to server

[Anthony Nadalin]

Good question, since SCIM does not really provide an authorization model and 
Oauth does not do provisioning this is sort of caught in the middle, so if I 
had to pick I would pick Oauth as this is a generic server to server issue

From: Hardt, Dick [mailto:d...@amazon.com]
Sent: Wednesday, April 6, 2016 5:52 AM
To: Anthony Nadalin <tony...@microsoft.com>
Cc: Gil Kirkpatrick <gil.kirkpatr...@viewds.com>; Nat Sakimura 
<n-sakim...@nri.co.jp>; Phil Hunt (IDM) <phil.h...@oracle.com>; s...@ietf.org; 
oauth@ietf.org
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

Sounds like there is interest.

SCIM or OAUTH?

-- Dick

On Apr 6, 2016, at 8:57 AM, Anthony Nadalin 
<tony...@microsoft.com<mailto:tony...@microsoft.com>> wrote:
I would be interested also

Sent from my Windows 10 phone

From: Gil Kirkpatrick<mailto:gil.kirkpatr...@viewds.com>
Sent: Wednesday, April 6, 2016 4:16 AM
To: 'Nat Sakimura'<mailto:n-sakim...@nri.co.jp>; 'Hardt, 
Dick'<mailto:d...@amazon.com>; 'Phil Hunt (IDM)'<mailto:phil.h...@oracle.com>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [scim] [OAUTH-WG] Simple Federation Deployment

That's an issue we're facing as well. Definitely interested.

-gil

From: OAuth [mailto:oauth-boun...@ietf.org] On Behalf Of Nat Sakimura
Sent: Wednesday, April 6, 2016 4:57 PM
To: 'Hardt, Dick' <d...@amazon.com<mailto:d...@amazon.com>>; 'Phil Hunt (IDM)' 
<phil.h...@oracle.com<mailto:phil.h...@oracle.com>>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [OAUTH-WG] [scim] Simple Federation Deployment

+1 for removing the manual cut-n-pastes!

Nat

--
PLEASE READ :This e-mail is confidential and intended for the
named recipient only. If you are not an intended recipient,
please notify the sender  and delete this e-mail.

From: scim [mailto:scim-boun...@ietf.org] On Behalf Of Hardt, Dick
Sent: Wednesday, April 6, 2016 7:26 AM
To: Phil Hunt (IDM) <phil.h...@oracle.com<mailto:phil.h...@oracle.com>>
Cc: s...@ietf.org<mailto:s...@ietf.org>; oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [scim] Simple Federation Deployment

I'm talking about removing manual steps in what happens today where configuring 
a SaaS app at an IdP (such as Google, Azure, Ping, Octa) requires is a bunch of 
cutting and pasting of access tokens / keys / certs and doing a bunch of  
config that is error prone and unique for each relationship.

Don't want to solve on the thread ... looking to see if there is interest!

On 4/5/16, 7:11 PM, someone claiming to be "scim on behalf of Phil Hunt (IDM)" 
<scim-boun...@ietf.org<mailto:scim-boun...@ietf.org> on behalf of 
phil.h...@oracle.com<mailto:phil.h...@oracle.com>> wrote:

Is the idp the center of all things for these users?

Usually you have a provisioning system that coordinates state and uses things 
like scim connectors to do this.

Another approach from today would be to pass a scim event to the remote 
provider which then decides what needs to be done to facilitate the thingd you 
describe.

Iow. Either the idp (sender) or the sp (receiver) have a provisioning system to 
do this.

The solution and the simplicity depends on where the control needs to be.

Phil

On Apr 5, 2016, at 18:59, Hardt, Dick <d...@amazon.com<mailto:d...@amazon.com>> 
wrote:
Use case: An admin for an organization would like to enable her users to access 
a SaaS application at her IdP.

User experience:

  1.  Admin authenticates to IdP in browser
  2.  Admin selects SaaS app to federate with from list at IdP
  3.  IdP optionally presents config options
  4.  IdP redirects Admin to SaaS app
  5.  Admin authenticates to SaaS app
  6.  SaaS app optionally gathers config options
  7.  SaaS app redirects admin to IdP
  8.  IdP confirms successful federation => OIDC / SAML and SCIM are now 
configured and working between IdP and SaaS App
Who else is interested in solving this?

Is there interest in working on this in either SCIM or OAUTH Wgs?

Any one in BA interested in meeting on this topic this week?

- Dick
_______________________________________________
scim mailing list
s...@ietf.org<mailto:s...@ietf.org>
https://www.ietf.org/mailman/listinfo/scim<https://na01.safelinks.protection.outlook.com/?url=https%3a%2f%2fwww.ietf.org%2fmailman%2flistinfo%2fscim&data=01%7c01%7ctonynad%40microsoft.com%7c871da74138de485b0bb008d35deb6643%7c72f988bf86f141af91ab2d7cd011db47%7c1&sdata=%2fILmgXPgRyLfCIn%2b2EbpBbIcHqKJbKZVYKJBpUL%2fKnY%3d>

_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth