Attendees

  • David Bantz, db@alaska.edu
  • Russell Beall, beall@usc.edu
  • Dedra Chamberlin, dedra@cirrusidentity.com
  • Gary Chapman, gary.chapman@nyu.edu
  • Greg Haverkamp, gahaverkamp@lbl.gov
  • Roland Hedberg, roland@catalogix.se
  • Ken Klingenstein, kjk@internet2.edu
  • David Langenberg, DaveL@uchicago.edu
  • Laura Paglione, l.paglione@orcid.org
  • Glenn Ricart, glenn.ricart@us-ignite.org
  • Nick Roy, nroy@internet2.edu
  • Mark Scheible, mscheible@mailbox.mcnc.org
  • Mike Sullivan, msullivan@internet2.edu
  • David Walker, dwalker@internet2.edu, flywheel/scribe
  • Albert Wu, albertwu@ucla.edu, chair
  • Yavor Yanakiev, yy27@nyu.edu
  • Tom Zeller, tzeller@sphericalcowgroup.com

Meeting Summary

Highlights

  • Communities we should survey
    • IAM
    • LTI
    • Health care
    • Kuali
    • Other developer communities?
  • Questions for the survey
    • Is the ability to revoke permissions important?
    • Is user consent important?
    • Is the RP run by same organization as the OP? 
    • Is there a business process for registering RPs?
    • What information is needed by the RP (e.g., location)?
    • Is the RP developed locally?
      • If so, what programming language?  What IDE?
  • Interesting observation: It may be that developer acceptance is a key success factor.  For many developers, this means:
    • Everything they need is available in their favorite IDE.
    • NodeJS and other runtime environments, not Apache or other web servers.
    • JSON, not XML

Raw Notes

  • Russ: Hasn't seen vendors asking for this.
    • Albert: UCLA is seeing this for APIs, not so much for user sign-on.
  • Ken: Better support for consent (described in Consent session tomorrow)
  • Ken: Should ask what parts of OIDC do we not care about?
    • E.g., dynamic client registration
    • user experiences like revocation of permissions
  • Gary: How do we structure the survey so that people can understand this?
    • More esoteric issues may not come up.
    • Albert: who do we target?  developers?  IAM community?
  • NYU has OIDC gateway so developers could use OIDC
  • Ken: Need to distinguish between OAuth and OIDC.  He expects much more OAuth.
    • Duke has a shim to produce OAuth from the (SAML) IdP
  • UCLA has need for OAuth to support LTI.
  • What communities should we survey?
    • IAM community
    • LTI?
    • Glen:  I want whatever is in my IDE.
    • Developer communities
      • Health care
      • LTI
      • Kuali
    • Do developers want to run OP, as well as RP?
      • Probably not, but sometimes they're packaged together to provide everything needed.
  • Things for the survey
    • Revocation of permissions
    • Consent
    • How important to put OIDC/OAuth into Shib?
    • Is RP run by same organization as OP? 
    • Is there a business process around registering RPs?
    • What information is needed (e.g., location)?
  • Should OIDC be part of Shib?
    • It increases cost/effort for the Shibboleth project, but could increase cost to campuses for infrastructure, attribute release rules, interface with backend IAMS, etc.
    • Perhaps separate the common parts of Shib away from the protocol stuff.
  • No labels