SCIM Reignition - HR and SSI
SCIM Working Group Re-ignition
Tuesday 9D
Convener: Darran Rolls
Notes-taker(s): Matt Domsch
Tags for the session - technology discussed/ideas considered:
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Attendees: Darran Rolls, Matt Domsch, Pamela Dingle, Jonathan Wright, Tushar Phondge, Satish Joshi, Inderjeet Kaur Khanuja, Tim Cappalli, Jacob Siebach, Jn taylor, Jason Downs, Josh Verbarg (State Farm), Dmitri Zagidulin, Joseba Lekube, Raider Horbe, Maryam Shahid, Neil Thompson, Erich Fortuni, Juan Caballero, Phil Archer, Lawrence Liu
What is SCIM?
http://tools.ietf.org/html/rfc764
Tim: Glad to see so many implementations
Josh: pushing SCIM with all of their application vendors
Neil: To state farm: data access, or data transfer?
Josh: simple store of users, separate stores of attributes and policies.
Darran: provenance of attributes? We’re making late-bound use of these attributes without recording from whence they came.
Dmitri: use Verifiable Credentials for attributes
Neil: groups, and groups of groups, were necessary for the BI industry to qualify for authentication and authorization
Satish: RBAC isn’t sufficient. You get group explosion. Need fine-grained attributes, but even ABAC doesn’t satisfy all the large enterprise needs.
Dmitri: Secure Data Storage Group (W3C and DIF) is a good place for conversation re SCIM + SSI. Focus on encrypted data storage, focusing on user profiles and user accounts. Needs profile export and transfer between applications. Session 13 today. The same tech allows both pseudonymous and public/corporate identities. Regulated, trusted authorities and registries is suited to adding a trusted stamp of approval. Internal HR can also provide trusted stamps of approval.
KYC runs across enterprises. SSI separates verification of identity from identity, and re-couples them only when needed.
Neil: What/who is the root of trust? Like a non-governmental but trusted org that may be rooted in government.
BC - tackled the easier problem (which is a great starting point!). Obstacles to SSI:
Technical: Key management & Wallets. Interesting tech here, but still raw.
Social: who will the certification authorities be? This is solved in enterprises by HR, but not across enterprises.
FastFed is using the SCIM schema as the lingua franca of establishing federations.
Group Chat:
From Jacob Siebach to Everyone: 10:48 AM Please explain what "SCIM" is.
From Me to Everyone: 10:49 AM http://www.simplecloud.info/
From Juan Caballero to Everyone: 10:50 AM @Jacob: http://tools.ietf.org/html/rfc7642
From Jacob Siebach to Everyone: 10:50 AM Thank you both. :)
From Neil Thomson to Everyone: 10:53 AM link to presentation?
From Juan Caballero to Everyone: 11:00 AM full disclosure, i'm a tourist, no need to tailor the presentation to me :D
From Rainer Hörbe to Everyone: 11:01 AM re the HR extension: it would be nice to consider not only the joiner/mover/loaver processes, but the transfer as well (new record in authoritatiove source, but account + entitlements are kept) - I found this quite frequently in workforce IAM
From Juan Caballero to Everyone: 11:09 AM ^ sounds pretty SSI? +1 thanks all! I learned a lot and am going to go "butterfly" around other sessions. Keep up the good work!
From timcappalli to Everyone: 11:17 AM Can I grab 2 minutes at the end? (Not SSI related)
From Dmitri Zagidulin to Everyone: 11:24 AM sure thing!
From Satish Joshi to Everyone: 11:24 AM Dmitri, can I get details of the organizational identity POC work you mentioned?
From Dmitri Zagidulin to Everyone: 11:28 AM I’m having trouble locating an actual website for the POC, but here’s some press releases mentioning it: http://www.prnewswire.com/news-releases/digital-bazaar-and-gs1-us-collaborate-on-a-new-proof-of-concept-exploring-the-intersection-of-organizational-identity-and-blockchain-technology-300923178.html
From Satish Joshi to Everyone: 11:28 AM Thanks
From Dmitri Zagidulin to Everyone: 11:29 AM and http://www.ledgerinsights.com/digital-bazaar-gs1-digital-identities-for-supply-chain/
From Lawrence Liu to Everyone: 11:34 AM @dimitri there is a 3rd part of obstacle that is legacy processes of enterprise needs to be changed Like my bank (HSBC) they have a photocopy of my ID on file. But each time I file of a new service even I can prove myself by login credentials they still want me to upload another photocopy of my ID I believe it is the same as insurances companies
From Dmitri Zagidulin to Everyone: 11:41 AM @Lawrence ohhh excellent point http://identity.foundation/working-groups/securedatastorage.html ^ this is the Secure Data Storage Working Group I mentioned earlier
From Jan Taylor to Everyone: 11:42 AM @Lawrence my state’s drivers license bureau takes a photo every visit to update your photo even when renewing, updating address, endorsements, etc. Can’t remember where I was going with that though.
From Josh Verbarg (State Farm) to Everyone: 11:45 AM Michael Jones mentioned it in the OpenID Connect session... I started taking a closer look to understand it. and keep it going when the certs expire...
From Lawrence Liu to Everyone: 11:45 AM @jan I’m HK our driver license has no photo or address like North America. ID has photo but no address. It is renewed may every 10 years when there is a country wide call for renewal. Typically u will have 1st ID before 12 yrs old then changed at 18th yr old and after than it depends on when u loose your ID or country call for a revision
From Me to Everyone: 11:45 AM http://openid.net/wg/fastfed/
From Lawrence Liu to Everyone: 11:46 AM So y does my same bank and branch still need the photo id when it is already on file
From Me to Everyone: 11:46 AM http://www.sailpoint.com/blog/fast-federation-onboarding-applications-to-your-identity-provider/?elqct=website&elqchannel=organicdirect
From Jan Taylor to Everyone: 11:46 AM @Lawrence wow, now that makes sense. It’s the same ID every policy.
From Me to Everyone: 11:46 AM http://www.sailpoint.com/blog/sailpoints-fast-federation-fastfed-sdk-released/?elqct=website&elqchannel=organicdirect
From Lawrence Liu to Everyone: 11:46 AM If they do not change legacy processes DID and SSI will not take on
From Jan Taylor to Everyone: 11:47 AM Right Thanks Everyone!