Title: Do We Really Need an Identity "Event Hub"?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Sean O'Dell, Leader, strategist, engineer & architect OpenID Foundation

Channels

• Linkedin Event
• Youtube Video

Description

In this episode of Identerati Office Hours, we’ll explore the role of an Event Hub in the modern IAM stack—an orchestration layer highlighted in Sean O’Dell and Andrew Cameron’s Identiverse keynote. More than just a SCIM or SSF receiver for provisioning, the Event Hub could unify asynchronous identity lifecycle events across people and software workloads. We’ll examine how Security Event Tokens (SETs) might flow through this hub, how to manage trust across multiple domains, and the authorization challenges raised by this new component.

Homework

• Identiverse Keynote
• Identity at the Center Episode 361 - Sean O'Dell: Harnessing CAEP Abilities with Event-Driven Identity
• Mike's Post after Identiverse

Takeaways

• ⚡ The "Event Hub" listens on an endpoint for "events" from trusted systems on a SSF "receiver endpoint". For example, let's say your ITDR system detects an anomylous account... who's it gonna call? The idea is that the ITDR would POST a JWT-encoded Security Event Token ("SET") to the Event Hub via the receiver endpoint.

• ⚡ Do We Really Need an Identity "Event Hub"?... I don't know. But having an SSF event receiver sounds like a good idea, even if it doesn't need to be a new component in the IAM stack.

• ⚡ What the receiver does with the event is out of scope of the SSF standard. Perhaps the event is published to a pub/sub topic, so all interested parties can pick it up, e.g. Kafka. Or perhaps the same effect can be achieved simply by revoking some tokens. Or both.

• ⚡ Which SET tokens to trust is also out of scope. Maybe it's time for the OpenID Federation spec to emerge from its long gestuation? Draft 43 looks promising...

• ⚡ Sean says "Know your Data - Identity is a living, context aware stream of signals, before, during and after." This would be important to detect anomolies via your ITDR, and to make policies about what's abnormal.

• ⚡ "Know your integration points or systems (Execution)"... This reminds me of requirment 3 in the TBAC Registry (a proposed design for a new project at Janssen Project): " As a System Architect, I want to track dependencies between capabilities and systems while assessing associated risks, so that I can understand the security and operational risks of system interactions and ensure proper risk-based governance."

Sean and Andrew's Closing Identiverse Keynote Slide on the Event Hub

Livestream Audio Archive

here