IPSIE WG Meeting Minutes

Date: 2025-06-10

Attendees

• Aaron Parecki (Okta)
• Mark Maguire (Aujas Cybersecurity)
• Shannon Roddy (self/LBL)
• Kenn Chong (RSA)
• Sean Miller (RSA)
• Jeff Bounds (SailPoint)
• Karl McGuinness (Self)
• Alex B Chalmers (Self)
• Dick Hardt (Hellō)
• Jon Bartlett (Zscaler)
• Dean H. Saxe (self)
• George Fletcher (Practical Identity LLC)
• Bjorn Hjelm (Yubico)
• Jen Schreiber (Workday)
• Ameya Hanamsagar (Meta)
• Travis Tripp (HPE)

Agenda

• Welcome and antitrust policy reminder https://openid.net/antitrust
• OpenID Contributor Agreement reminder https://openid.net/intellectual-property
• Reminder about OpenID Slack
  • invite link: https://join.slack.com/t/oidf/shared_invite/zt-30zg9louv-3HgJEwIL7vB3uWv2KEbLtw
• Community Events
  • Identiverse June 3-6
• Review profiles & issues
  • https://github.com/openid/ipsie/issues?q=state%3Aopen%20label%3A%22agenda%22
  • Check in with Dick about Connect WG status
    • https://github.com/dickhardt/enterprise-extensions
  • Refresh tokens vs full page redirects
    • https://github.com/openid/ipsie/issues/74

Notetaker:

Minutes

• Recap of community events (IPSIE Panel at Identiverse)

  • Very good attendance. More than 100 people. 1 Shoutout to IPSIE on Keynote stage by Matt Caulfield from Duo. No room for IPSIE interop at Gartner. Look to do remote interop

• Session Lifetime Claim Draft adopted by OpenID working group. (Dick Hardt and Karl McGuinness)

  • Next steps:
    • Update repo with new draft

• FAL2 (Dean)

  • Haven't made much progress
  • Expect to have time for it this week

• Submitted SCIM draft (Mark & Jen)

  • Have not done adoption call for this yet.
  • If it is not adopted, harder to justify spending working group time on it.
  • Think it's not in a good enough state to adopt now but will review in a couple of weeks.

• Issue Review

  • SL1
    • Haven't officially talked about whether we want to discuss tenancy claims
    • Question: Did we resolve the no ACR? Clarity is needed to close out SL1. Do we need a new value in IANA registry? For the MFA any use case (Must enforce MFA and communicate). Minimum is phr. Reuse redfed? Current IPSE states that claim must contain acr and amr claims. MFA any doesn't have a clear signal today. Shoud this reside in enterprise extensions?
    • Describe what we believe the desired security level is for AAL2. Maybe go through list of combinations and document. (George)
    • There is no context to the acr. Don't know if it is JIT stepup. No signaling with the IDP. Just sees it as signon request. Protocol gap with OIDC. Don't know when to lower the assurance requirement. (Karl)
    • Hard to understand the why. e.g. tamperproof, how does it shore up security profile (Sean)
    • Gap between two different trust domains. Bridging two security models and two domains. Can't do it with acr. (George)
    • Narrowed scope of SL1 to minting tokens (Karl)
    • Is this something we should be focusing on in IPSIE? Provide the ability for an RP to require MFA and IDP to enforce it. Can it delegate that to the IDP. There is no interoperability for how this is supposed to happen. If you specify a value in acr, there has to a mapping (Karl)
    • Potential way forward. Define new acr value and register with IANA: IPSIE-SL1. Then in text define what it means. Gets us past IPSE issues line item (George)
    • Action: George to create issue and put information. Can pick this up at another time.