ID-Cloud - Meeting Minutes 26 July 2010

[Thomas Hardjono <hardjono@MIT.EDU>]

Oasis ID-Cloud TC Meeting Minutes (26 July 2010)
------------------------------------------------

(1) Roll Call: quorum achieved.

(2) Minute taker: Thomas Hardjono.

(3) Approval of last meeting minutes (July 12, 2010):
http://www.oasis-open.org/apps/org/workgroup/id-cloud/email/archives/201007/msg00020.html

   Motion: Gershon Janssen.
   Second: Jerry Smith
   No objections. Motion passes. Minutes approved.


(4) Use Cases: Patrick Harding (Ping Identity)
http://www.oasis-open.org/apps/org/workgroup/id-cloud/email/archives/201007/msg00007.html

Presentation by Pat
-------------------
  - Identity needs to work consistently regardless of the platform.
  - Must work across SAS, PAS, IOAS, etc.
  - Some of the use-cases will be presented at conference (?)
  - How do we handle identity across hundreds of apss and clouds.
  - There are a set of common scenarios across groups/types of 
    use cases.
  - Use-cases, Scenarios and Goals.

(A) Use-cases:

 [1] Use-Case #1: Workforce use-case
     - Workforce/employees accessing productivity apps out there 
       in the cloud (eg. email, word-processing, etc).

     - The Enterprise is the authoritative source of identity.
       + May even have an internal directory of 
         identities (eg. Active Directory).

     - Alternatively authoritative source of identity may be in 
       the cloud itself
       + this approach not common today, but in a few years 
         may be predominant.

 [2] Use-Case #2: Business Partners use-case
     - Enterprise giving access to apps to their partners.
       + eg. supply-chain partners.
       + Usually this means Enterprise also has to manage 
         identity of their partners.

     - Apps may be maintained on-premise or be running in the cloud.
     - Enterprise wants to push management of identities of 
       partners back to these partners themselves.
       + ie. partners should manage/control their own users.

 [3] Use-Case #3: Customer/Consumer View
     - Enterprise has customers to whom they wish to give 
       access to (internal) apps.
       + Here Enterprise is like a SP and may in fact be an SaaS.

     - Enterprise/organization wants to allow direct-to-consumer
       access to apps:
       + Seamless access, but
       + customer may be using consumer-identity 
         provider (eg. Google, OpenID, etc).
       + The apps may be on-premise or in the cloud.


(B) Scenarios:
- These are scenarios that are common to the use-cases and 
  need to be (must be) addressed by the ID-Cloud TC.

 [a] Authentication & SSO:
     - Goal of SSO is still to reduce the number of passwords used.
     - Need to work for browser Apps and API Accesses (for 
       installed apps on PCs/desktops, mobiles, and APIs in portals).

 [b] Account Update/Deletion (aka " Provisioning")
     - Consistent maintenance of user accounts in cloud applications.

 [c] Audit:
     - Ability of Enterprise/org to seamlessly view/access 
       all logs after the fact:
       + for all (across all) apps in the cloud.
       + Feed this data into a central point.

 [d] Authorization and Delegation.


(C) Goals:
 - Drive out (eliminate) directory synchronization that use 
   back-channels to synchronize identities across directories.
 - Use claims-based architecture/approach.
 - Just-in-time (JIT) dynamic model to do SSO and account management.



Questions and discussions
-------------------------

John Dilley - Q: Any more background on this?
   Pat - A: We're not yet at that point. These are only high level
            use-cases.

   Anil: We need common definition /glossary. Abbie Barbir plans 
        to provide some ITU definition, but he is not on the call.

   JohnD: Recommend we not reinvent/recreate, but make use of
          existing work from other standards/groups. 
          Collect pointers to and improve existing standards.


Anil - Q: API aspects, we need to expand on the API aspect of use-cases.

   Pat - A: yes will do. Some data from SalesForce.com:
            + 50% of calls/connections from browser based apps.
            + other 50% of calls/connections from APIs.

   Pat:  we can do better than point-to-point VPNs.
   Anil: We need champions of use-cases to write/expand on them.


Anil - Q: Auditing standards

   Anil: We need common auditing formats
         There is the CloudAudit group, and Liaison with 
         them might be useful.

   Pat: Several groups/standards on Audit (Open System, CIM, etc),
        but there are also gaps.

   Matt R.: Roles delegations also needed.
            Roles and delegations must mean the same 
            thing across clouds.

   Kurt R.: Capabilities need to be tied to identity of the individual 
            and of the process/software (eg. apps running in the cloud).
            Need to keep track of these identities for legal 
            purposes (eg. in lawsuit, subpoenas, etc).

   Matt R.: Actions of users/identities must refer back to the 
            actual user for auditing needs.


Anil S.: Just-in-time provisioning is a good idea to be 
         addressed by the TC.

Matt R.: Need to repurpose many access control structures(?)

Pat: How to architect accounts so that users can use apps 
     seamlessly and avoid directory synchronization. 
     We need a more scalable/dynamic model (for acct management).


Anil S.: Will Just-in-time (JIT) model (for SSO and 
         provisioning) scale?

   Pat: Yes, JIT provisioning can scale.
        Identity verification occurs at run-time (eg. at SSO time),
        and not through overnight/batch synchronization.


Matt R.: There is convergence of SSO and AuthZ.

   Pat: Need to move user info (claims verification) into a 
        run-time model. (?)
        - JIT authorization where cloud apps can call-back 
          to IdPs to re-verify user's access rights.

    Matt R.: Some Service Providers in fact prefer IdPs to setup 
             and manage authorizations.

    Pat: Today when SP delegates AuthZ to IdPs, we are 
         restricted by the Cloud Provider and their choice of IdPs.
         - Delegation must be uniform across clouds.

Anil/Pat: to start thread on mail-list on these 3 items.

Anil will also send links to his slides from last week's Cloud Identity Summit.


(5) Webinar Ballot:
- Consensus: Yes go ahead with webinar plans.
- Oasis Program Manager (Dee Schur) is on holiday, thus webinar may 
  be in September.


(6) F2F meeting plans:
- Room has been booked.
- In Washington DC at Oasis Identity Management Conference.
- Our F2F meeting either on Sept 29th or 30th.


(7) Other:
Pat: Plans/deadlines for draft doc of use-cases? It'd be nice to 
     get draft done prior to F2F meeting.

Anil: Current plan is to publish in November. So having a draft 
      of the doc out for our internal review before Sept F2F 
      is a good idea.

Thomas: Process to edit use-cases doc?

Matt: What is the template (is there one)?

Tony: No Oasis template. We can use template from other 
      groups/organizations, subject to approval from Mary/Oasis.

Matt: Example is DMTF template.

Next steps/plans for doc:
- Anil: Action Item to find suitable template.
- Matt/Thomas to be editors of use-cases doc.
  (Tom Bishop indicated interest, but has not been at TC calls recently).
- Start mail thread regarding template.
- Matt: will try to massage all these use-cases texts into a 
        better for form review.

(8) Adjourn:
  Motion to adjourn: Thomas Hardjono.
  Second: Gershon Janssen.
  No objections. Motion passes. Meeting adjourned.

_________________________________
chatroom dump:

anonymous morphed into Matt Rutkowski (IBM)
anonymous morphed into Michael Stiefel
anonymous morphed into Kurt Roemer
Kurt Roemer morphed into Kurt Roemer (Citrix)
anonymous morphed into Dan Perry (Skyworth TTG)
anonymous morphed into Ross J. Micheals (NIST)
anonymous morphed into DaleMoberg
Siddharth Bajaj: Siddharth Bajaj (VeriSign) is on the call...
anonymous morphed into John Dilley (Akamai)
anonymous1: Meeting Attendees
Name Company Status
John Dilley Akamai Technologies 
Mark Robinton HID Global 
Robert Cope Homeland Security Consultants 
Matthew Rutkowski IBM 
Gershon Janssen Individual 
Michael Stiefel* Individual 
Thomas Hardjono M.I.T. 
Anthony Nadalin Microsoft Corporation 
Patrick Harding Ping Identity Corporation* 
Anil Saldhana Red Hat 
Ricardo Ushizaki Serasa S.A. 
Daniel Perry Skyworth TTG Holdings Limited 
Tom Clifford Symantec Corp.* 
Darren Platt Symplified 
Travis Yoes Symplified 
Kyle Austin TriCipher, Inc. 
Jerry Smith US Department of Defense (DoD)* 
Brian Marshall Vanguard Integrity Professionals 
Siddharth Bajaj VeriSign 
Daniel Turissini WidePoint Corporation
anonymous1: Voting Members: 14 of 24 (58%) (used for quorum calculation)
anonymous2 morphed into AnilSaldhana(RedHat)
AnilSaldhana(RedHat): You can mute with *6
Matt Rutkowski (IBM): I heard the following explicit examples given during the use case description:
Workforce - Active Directory
Business - Sharepoint, push control back to partners (Access control)
Customer - SaaS vendor like "Workday", Windows Live mentioned as well
Wanted to make sure the meeting minute reflected some of these examples as we further develop the them.
anonymous morphed into Travis Yoes

____________________________________________