Episode 026: 27‐06‐2024 Shared Signals CAEP - GluuFederation/identerati-office-hours GitHub Wiki
Title: Shared Signals / CAEP
- Host: Mike Schwartz, Founder/CEO Gluu
- Guest: Shayne Miel, Principal Engineer, Cisco
- Co-Host: Mike Kiser, Director of Strategy and Standards, Sailpoint
Channels
Description
Shared Signals wants to limit the damage of compromised accounts used from one website to gain access to accounts on another website. CAEP uses the Shared Signals event framework to defines some typical events: Session Revoked, Credential Change, Assurance Level Change, Device Compliance Change, Session Established. What's the current state of Shared Singals and CAEP? What are the enterprise use cases? What are the lessons learned from the "big IDP" space implementing this standard?
Homework
- OIDF WG Share Signals Home Page
- CAEP 1.0 - Implementer's Draft
- OpenID RISC Profile Specification 1.0 - draft 02
- SCIM Profile for Security Event Tokens
Takeaways
- 
No question--improved communication about security events, whether its inter-domain or within the enterpise, can only help improve security. Profiling events using the Shared Signals Framework (SSF) can quick-start a solution. 
- 
The Continuous Access Evaluation Profile (CAEP) is an SSF profile that is specific to User authentication. It defines events for: Session Revoked, Token Claims Change, Credential Change, Assurance Level Change, and Device Compliance Change. 
- 
CAEP is not a panacea. Even if domains start transmitting events, and domains start receiving events, challenges still remain. How will enterprises make sense of this data? How will systems then act on information derived from CAEP events? How will enterprises govern policies based on new SSF event info? 
- 
Standardization at the OIDF lowers the bars for applications developer to build SSF/CAEP/RISK features into their software. Sending and receiving events, and agreeing on the schema of those events can perhaps catalyze a new set of tools. But is SSF and CAEP a "build it and they will come" standard? Only time will tell.