2021-04-07.md

Meeting Notes - 7 April 2021

Recording: https://www.youtube.com/watch?v=GyI8gl4MeHM&feature=youtu.be

Attendees:

• Pamela Dingle (Microsoft Identity)
• Tim Cappalli (Microsoft Identity
• Kevin Kampman (Gartner)
• Leanne Chen (IBM)
• Audrei (Slack)
• Matt Domsch (Sailpoint)
• Wes Dunnington (Ping)
• Erik Gustavson (Google Cloud)
• Darin McAdams (AWS)
• Phil Hunt (IndependentId)
• Ryan Bradley (Okta)
• Matt Peterson (OneIdentity)
• Paul Lanzi (Remediant)

Agenda

• Paul/Matt P go through SCIM-PAM draft
• Matt D to go through the actions from previous group surveys (a spreadsheet we are calling the SCIM IG Interest List)

SCIM PAM ietf draft Summary

• Paul/Matt note that they are not original authors and hope they do justice to the original draft spec, with apologies and thanks to Kelly Grizzle, et al

  • Spec link: https://tools.ietf.org/html/draft-grizzle-scim-pam-ext-01
  • Spec Github page: https://github.com/kelly-grizzle-sp/scim-pam
  • Presentation link: https://docs.google.com/presentation/d/1qd6pewmf_DXVydtg9siHeQvC5xhnJ4OmqEQcJzoyf9E/edit#slide=id.gc83ee66d31_0_265

• Usage: SCIM PAM is in active use in the SCIM PAM Sailpoint connector

  • Lots of SailPoint customers are using it already

• Purpose: The draft helps IGA+PAM solutions to do two things together:

  • use SCIM to read Privileged Data
  • Use SCIM to read and modify the access rights to Privileged Data (ACLs)

• Paper Cuts

  • The draft needs a statement of purpose. The draft does 2 things but nobody ever summarizes those things
  • Reading/writing ACLs is done in a very specific way - opportunity for us as a group is to make this a more generalized standardized SCIM-esque standard
    • Because there is no authorization in SCIM the draft had to build that functionality
      • We have the opportunity to build that into SCIM core which would make this draft much more concise
  • There is no SCIM concept of linking objects.
    • We have the opportunity to make that pattern more standardized
    • Linked objects is a generically useful concept that we could make easy
    • A way to canonically address the authority
      • Need some kind of way to designate who the canonical authority is for an attribute
  • Difficult to determine when something has changed in SCIM
    • Notifications are a problem
      • Matt D would love to see a webhook-style change mechanism

SCIM 2021 Interest List

• Matt overviewed the items in the list - a combination of existing drafts (including the SCIM-PAM draft we just reviewed today) and also additional ideas
  • The tentative plan is
    • Matt to get the list into a format that we can collectively iterate on
    • We will make topics out of all the items in this meeting

Persistent Questions for Future Meetings (or to go to the group)

* Is multi-value pagination a special case for groups only or a more generic concern?
* Do we need to address only object pagination or is cursor pagination as important?

Next Meeting:

• April 21, 3pm PT
  • Pam to ask Mark Wahl if he will summarize his draft
  • More work on the Interest List
  • Pam to get the plan for sorting videos figured out