Episode 094: 03‐11‐2025 The IPSIE Standard: A New Era of Policy Interoperability - GluuFederation/identerati-office-hours GitHub Wiki

Title: The IPSIE Standard: A New Era of Policy Interoperability

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Dean Saxe, Principal Engineer, Office of the CTO, Beyond Identity
• Guest: Mark Maguire, Associate Director - IAM, Aujas Cybersecurity
• Guest: Travis Tripp, HPE Senior Distinguished Technologist | Senior Platform Architect, HPE Office of the CTO

Channels

• Linkedin Event
• Youtube Video

Description

IPSIE (pronounced "ip-see") stands for Interoperability Profiling for Secure Identity in the Enterprise. Its mission is to develop interoperability and security profiles of existing specifications. The current situation is that the enterprise deployments of OpenID, OAuth, passkeys and other identity technologies are so varied, two implementations are NOT guaranteed to work together. For example, is it acr or amr that shows how the user was authenticated? Can re-usable IPSIE profiles enable much sought after IT consolidation? In this epsiode with working group contributors... we'll see!

Homework

• Working Group Charter
• Current Draft of IPSIE Levels
• Securing the Future of Identity with IPSIE – A New Industry Standard, Webinar May 5 12pm EST with Jeff Reich, IDSA | Dean H. Saxe, Beyond Identity | Aaron Parecki, Okta | Gail Hodges, OpenID Foundation | George Fletcher

Takeaways

• ⚡ IPSIE seeks to profile a higherarchy of levels, like "SL1/SL2/SL3" or "IL1/IL2/IL3" (SL stands for Session Lifecycle, and IL for Identity Lifecycle). Other profiles are possible.

• ⚡ The idea is that IPSIE will make it easier for enterprises to convey the sufficiency of their identity controls. However, does the broadness of these categories also decrease their utility for risk management?

• ⚡ If an enterprise is "SL3", does it have to implement those controls for all resources, regardless of value? The logical goal is SL3 policies are required only for transactions or resources that warrant that level of security.

• ⚡ Enterprises always have a ton of legacy. What percentage of RPs need to comply with an IPSIE policy for an enterpise to assert a certain level?

• ⚡ People and workloads both have identities. How will IPSIE evolve to address the non-human identity challenge?

Livestream Audio Archive

here