IPSIE WG Meeting Minutes

Date: 2025-04-15

Attendees

• Aaron Parecki (Okta)
• Kenn Chong (RSA)
• Filip Skokan (Okta)
• Shannon Roddy (Self/LBL)
• David Lee (Saviynt)
• George Fletcher (Practical Identity LLC)
• Jon Bartlett (Zscaler)
• Bjorn Hjelm (Yubico)
• Robin Martherus (Cisco)
• Alex B Chalmers (Self)
• Qinglan Gao (RSA)
• Karl McGuinness (Self)
• Dick Hardt (Hellō)
• Travis Tripp (HPE)

Agenda

• Welcome and antitrust policy reminder www.openid.net/antitrust
• OpenID Contributor Agreement reminder https://openid.net/intellectual-property
• Reminder about OpenID Slack
  • invite link: https://join.slack.com/t/oidf/shared_invite/zt-30zg9louv-3HgJEwIL7vB3uWv2KEbLtw
• Community Events
• Review profiles & issues
  • OpenID SL1 Editor's Copy - https://drafts.aaronpk.com/ipsie-openid-sl1/draft-openid-ipsie-sl1-profile.html
    • Open issues - https://github.com/openid/ipsie/labels/sl1
  • SAML SL1
    • https://github.com/openid/ipsie/pull/65
• AOB

Notetaker: David Lee

Minutes

OpenID SL1 Profile

• Aaron contributed the draft 2 weeks ago, Dean started the call for adoption
• Have seen support for it so far on the list
• Call for adoption ends April 17
• Aaron and other editors can attend the upcoming sessions on using the new OpenID automated publication tools
• Aaron: Propose waiting until next week to discuss the open issues on the draft so we can discuss it as an adopted draft. General agreement.
• Kenn: Clarification about the publication in 2 days, that it's not all settled about what is in the draft, just adoption?
• Aaron: Yes, not final, but it means the draft is an adopted draft so we can discuss it as the working group going forward
• Aaron: Working group goals are still to get to the interop event in December. Between Thursday and September we will hash out the details of the draft to get it to a place we're all happy with

Community Events

• There were several related topics at Internet Identity Workshop last week, including a session on IPSIE led by Dean and Aaron
• Dean, Aaron and others submitted a panel discussion on IPSIE at Identiverse in June.
• George: Any topics at EIC?
• Aaron: Haven't heard anything
• Mike: will be there, not aware of IPSIE related sessions

SAML SL1 Profile

• SL1 profile for SAML submitted in PR 65 https://github.com/openid/ipsie/pull/65
• Karl: There will be a significant delta between OIDC and SAML regarding key rotation

SAML and OpenID Connect for security and key rotation. • discusses SAML and OpenID Connect security protocols with colleagues.

Key rotation and encryption for B2B SaaS use cases. • Key rotation is better with IPSIE, but SAML is seen as gold standard. • Encryption is pulled in through FAL, adding overhead for B2B use cases.

Modernizing SAML implementation for security in the modern workforce. • SAML is in an older deployment, and vendors need to modernize to meet security needs. • Vendors are not investing in modernizing SAML, and it's in a stalemate state.

SAML security and key rotation, with a focus on vendor support and metadata exchange. • The group discusses the importance of defining security outcomes and mapping them to SAML profiles to achieve frequent key rotation.

Creating a standard for secure single sign-on (SSO) with a focus on vendor adoption and incentives. • Focus on creating a standard that's both secure and consistent, while also considering vendor adoption. • Vendors may not adopt a standard if it's not in their commercial interest, so incentives are crucial for success. Balancing security and adoption in SAML standard development. • The group aims to incentivize security improvements in SAML implementations through incremental adoption and modification. Cert rotation and security incidents in cloud applications. • Identify achievable security goals for Ipsy, prioritizing value and scalability. • Address breach scenarios with cert rotation, considering technical and industry motivation.

Implementing security standards for vendors. • Vendors may need to update sample implementations for SL one. • OIDC may be more tenable than SAML for SL one compatibility.

Interoperability between OIDC and SAML protocols for identity services. • discusses interoperability challenges with OIDC and SAML protocols in identity services.

IDP support for OpenID Connect and SAML in modernization efforts. • IDP should support both OIDC and SAML for greenfield apps. • Supporting both protocols in IDP would simplify modernization for new apps.

OpenID Connect and SAML compatibility for identity services and applications. • Existing SAML deployments should be upgraded to ID Connect level one for interoperability. • New applications should use OpenID Connect for compliance, while existing applications with SAML can keep working.

Implementing OpenID Connect in existing applications with varying levels of adoption and perceptions of security and equivalence to SAML. • SAML is often preferred over OpenID Connect due to RFP requirements.