David Walker, dwalker@internet2.edu, flywheel/scribe
Albert Wu, albertwu@ucla.edu, chair
Yavor Yanakiev, yy27@nyu.edu
Tom Zeller, tzeller@sphericalcowgroup.com
Meeting Summary
Highlights
Communities we should survey
IAM
LTI
Health care
Kuali
Other developer communities?
Questions for the survey
Is the ability to revoke permissions important?
Is user consent important?
Is the RP run by same organization as the OP?
Is there a business process for registering RPs?
What information is needed by the RP (e.g., location)?
Is the RP developed locally?
If so, what programming language? What IDE?
Interesting observation: It may be that developer acceptance is a key success factor. For many developers, this means:
Everything they need is available in their favorite IDE.
NodeJS and other runtime environments, not Apache or other web servers.
JSON, not XML
Raw Notes
Russ: Hasn't seen vendors asking for this.
Albert: UCLA is seeing this for APIs, not so much for user sign-on.
Ken: Better support for consent (described in Consent session tomorrow)
Ken: Should ask what parts of OIDC do we not care about?
E.g., dynamic client registration
user experiences like revocation of permissions
Gary: How do we structure the survey so that people can understand this?
More esoteric issues may not come up.
Albert: who do we target? developers? IAM community?
NYU has OIDC gateway so developers could use OIDC
Ken: Need to distinguish between OAuth and OIDC. He expects much more OAuth.
Duke has a shim to produce OAuth from the (SAML) IdP
UCLA has need for OAuth to support LTI.
What communities should we survey?
IAM community
LTI?
Glen: I want whatever is in my IDE.
Developer communities
Health care
LTI
Kuali
Do developers want to run OP, as well as RP?
Probably not, but sometimes they're packaged together to provide everything needed.
Things for the survey
Revocation of permissions
Consent
How important to put OIDC/OAuth into Shib?
Is RP run by same organization as OP?
Is there a business process around registering RPs?
What information is needed (e.g., location)?
Should OIDC be part of Shib?
It increases cost/effort for the Shibboleth project, but could increase cost to campuses for infrastructure, attribute release rules, interface with backend IAMS, etc.
Perhaps separate the common parts of Shib away from the protocol stuff.