Chair: Gary Cole
Attendees:
Gary Cole (Oracle)
Marco Fanti (Oracle)
Karsten Huneycutt (UNC-Chapel Hill)
Phil Hunt (Oracle)
Kent Spaulding (Oracle)
Prateek Mishra (Oracle)
1) Call Roll:
- Gary took roll.
- Quorum *was* achieved (5 of 5 voting members attended)
- Voting status changes: Phil Hunt now has voting status.
2) Approve minutes from Mar 12 meeting.
- No one objected to approving the minutes as posted in the calendar-event.
3) SCIM Strategy (Prateek Mishra / Phil Hunt)
- Report on events at IETF related to SCIM
- Outlook for convergence
- Implications for PSTC
SCIM Consortium currently has Ping Identity, Salesforce, UnboundID (and sometimes Google in the background):
- Use-cases say they're solving the broader problem, but currently somewhat LDAP-centric.
- Writing objects into the directory server is seen as the only type of provisioning that is necessary.
- SCIM aimed currently mainly at "service-provider" (application-vendor):
-- RESTful API to LDAP.
-- single-endpoint.
- Managed objects tend to become complex--e.g., denormalized blend of user attributes, accounts and entitlements.
Identity Management (in the context of provisioning) can involve "hubs", "gateways" and "spokes" (in Phil's terms):
- SCIM is currently oriented to a single-spoke.
- Both hubs (e.g, IDM systems) and gateways (e.g., cloud-vendor or decentralized-IDM node) expose multiple targets.
Phil made "Targeting Proposal" to allow a SCIM server to expose multiple targets:
- Targeting Proposal adds a layer into URLs (i.e., "Targets/<TargetName>" before "/Users" and before "/Groups").
- Targeting Proposal also formalizes references from User on one target to accounts on other targets.
Outlook for convergence is currently unclear:
- Many members want only to approve SCIM 1.0 as-is.
- Charter-draft now mentions "targeting", if somewhat vaguely (and optionally).
Gary says that these gaps are critical from a provisioning perspective.
Karsten says that identity-management is broader than a single-endpoint.
Possible Courses of Action:
#1. Influence SCIM at IETF. Try to build support for Targeting Proposal or equivalent.
#2. Define RESTPML to wrap SCIM. Follow its style and add a layer to represent "targets".
#3. Define RESTPML independent of SCIM. Consider SCIM merely an endpoint-protocol.
Phil suggests some combination of #1 and #2. Wait a little longer until we see what happens with SCIM.
Prateek agrees.
Karsten points out that REST won't do everything--unless you clearly define attributes:
- Without explicit operations, one must specify schema carefully (and each provider must honor the contract).
- Sometimes it's nicer if your provider stays "dumb"--implementation is simpler when operations are explicit.
4) AOB: None. |