[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [id-cloud] ID-Cloud - Meeting Minutes 26 July 2010
On 07/26/2010 04:05 PM, Thomas Hardjono wrote: > Oasis ID-Cloud TC Meeting Minutes (26 July 2010) > ------------------------------------------------ > > (1) Roll Call: quorum achieved. Roll Call is the Chat Room Transcript at the bottom of this email. Membership Status Changes: Brian Marshall (Vanguard), Daniel Perry (Skyworth), Jerry Smith (US DOD), James Ducharme (Aveksa) gain voting rights Tony Nadalin (Microsoft), Darren Platt (Symplified) regain voting rights Heather Hinton(CA), Jeff Broberg (CA) lose voting rights > (2) Minute taker: Thomas Hardjono. > > (3) Approval of last meeting minutes (July 12, 2010): > http://www.oasis-open.org/apps/org/workgroup/id-cloud/email/archives/201007/msg00020.html > > Motion: Gershon Janssen. > Second: Jerry Smith > No objections. Motion passes. Minutes approved. > > > (4) Use Cases: Patrick Harding (Ping Identity) > http://www.oasis-open.org/apps/org/workgroup/id-cloud/email/archives/201007/msg00007.html > > Presentation by Pat > ------------------- > - Identity needs to work consistently regardless of the platform. > - Must work across SAS, PAS, IOAS, etc. > - Some of the use-cases will be presented at conference (?) > - How do we handle identity across hundreds of apss and clouds. > - There are a set of common scenarios across groups/types of > use cases. > - Use-cases, Scenarios and Goals. > > (A) Use-cases: > > [1] Use-Case #1: Workforce use-case > - Workforce/employees accessing productivity apps out there > in the cloud (eg. email, word-processing, etc). > > - The Enterprise is the authoritative source of identity. > + May even have an internal directory of > identities (eg. Active Directory). > > - Alternatively authoritative source of identity may be in > the cloud itself > + this approach not common today, but in a few years > may be predominant. > > [2] Use-Case #2: Business Partners use-case > - Enterprise giving access to apps to their partners. > + eg. supply-chain partners. > + Usually this means Enterprise also has to manage > identity of their partners. > > - Apps may be maintained on-premise or be running in the cloud. > - Enterprise wants to push management of identities of > partners back to these partners themselves. > + ie. partners should manage/control their own users. > > [3] Use-Case #3: Customer/Consumer View > - Enterprise has customers to whom they wish to give > access to (internal) apps. > + Here Enterprise is like a SP and may in fact be an SaaS. > > - Enterprise/organization wants to allow direct-to-consumer > access to apps: > + Seamless access, but > + customer may be using consumer-identity > provider (eg. Google, OpenID, etc). > + The apps may be on-premise or in the cloud. > > > (B) Scenarios: > - These are scenarios that are common to the use-cases and > need to be (must be) addressed by the ID-Cloud TC. > > [a] Authentication& SSO: > - Goal of SSO is still to reduce the number of passwords used. > - Need to work for browser Apps and API Accesses (for > installed apps on PCs/desktops, mobiles, and APIs in portals). > > [b] Account Update/Deletion (aka " Provisioning") > - Consistent maintenance of user accounts in cloud applications. > > [c] Audit: > - Ability of Enterprise/org to seamlessly view/access > all logs after the fact: > + for all (across all) apps in the cloud. > + Feed this data into a central point. > > [d] Authorization and Delegation. > > > (C) Goals: > - Drive out (eliminate) directory synchronization that use > back-channels to synchronize identities across directories. > - Use claims-based architecture/approach. > - Just-in-time (JIT) dynamic model to do SSO and account management. > > > > Questions and discussions > ------------------------- > > John Dilley - Q: Any more background on this? > Pat - A: We're not yet at that point. These are only high level > use-cases. > > Anil: We need common definition /glossary. Abbie Barbir plans > to provide some ITU definition, but he is not on the call. > > JohnD: Recommend we not reinvent/recreate, but make use of > existing work from other standards/groups. > Collect pointers to and improve existing standards. > > > Anil - Q: API aspects, we need to expand on the API aspect of use-cases. > > Pat - A: yes will do. Some data from SalesForce.com: > + 50% of calls/connections from browser based apps. > + other 50% of calls/connections from APIs. > > Pat: we can do better than point-to-point VPNs. > Anil: We need champions of use-cases to write/expand on them. > > > Anil - Q: Auditing standards > > Anil: We need common auditing formats > There is the CloudAudit group, and Liaison with > them might be useful. > > Pat: Several groups/standards on Audit (Open System, CIM, etc), > but there are also gaps. > > Matt R.: Roles delegations also needed. > Roles and delegations must mean the same > thing across clouds. > > Kurt R.: Capabilities need to be tied to identity of the individual > and of the process/software (eg. apps running in the cloud). > Need to keep track of these identities for legal > purposes (eg. in lawsuit, subpoenas, etc). > > Matt R.: Actions of users/identities must refer back to the > actual user for auditing needs. > > > Anil S.: Just-in-time provisioning is a good idea to be > addressed by the TC. > > Matt R.: Need to repurpose many access control structures(?) > > Pat: How to architect accounts so that users can use apps > seamlessly and avoid directory synchronization. > We need a more scalable/dynamic model (for acct management). > > > Anil S.: Will Just-in-time (JIT) model (for SSO and > provisioning) scale? > > Pat: Yes, JIT provisioning can scale. > Identity verification occurs at run-time (eg. at SSO time), > and not through overnight/batch synchronization. > > > Matt R.: There is convergence of SSO and AuthZ. > > Pat: Need to move user info (claims verification) into a > run-time model. (?) > - JIT authorization where cloud apps can call-back > to IdPs to re-verify user's access rights. > > Matt R.: Some Service Providers in fact prefer IdPs to setup > and manage authorizations. > > Pat: Today when SP delegates AuthZ to IdPs, we are > restricted by the Cloud Provider and their choice of IdPs. > - Delegation must be uniform across clouds. > > Anil/Pat: to start thread on mail-list on these 3 items. > > Anil will also send links to his slides from last week's Cloud Identity Summit. > > > (5) Webinar Ballot: > - Consensus: Yes go ahead with webinar plans. > - Oasis Program Manager (Dee Schur) is on holiday, thus webinar may > be in September. > > > (6) F2F meeting plans: > - Room has been booked. > - In Washington DC at Oasis Identity Management Conference. > - Our F2F meeting either on Sept 29th or 30th. > > > (7) Other: > Pat: Plans/deadlines for draft doc of use-cases? It'd be nice to > get draft done prior to F2F meeting. > > Anil: Current plan is to publish in November. So having a draft > of the doc out for our internal review before Sept F2F > is a good idea. > > Thomas: Process to edit use-cases doc? > > Matt: What is the template (is there one)? > > Tony: No Oasis template. We can use template from other > groups/organizations, subject to approval from Mary/Oasis. > > Matt: Example is DMTF template. > > Next steps/plans for doc: > - Anil: Action Item to find suitable template. > - Matt/Thomas to be editors of use-cases doc. > (Tom Bishop indicated interest, but has not been at TC calls recently). > - Start mail thread regarding template. > - Matt: will try to massage all these use-cases texts into a > better for form review. > > (8) Adjourn: > Motion to adjourn: Thomas Hardjono. > Second: Gershon Janssen. > No objections. Motion passes. Meeting adjourned. > > _________________________________ > chatroom dump: > > anonymous morphed into Matt Rutkowski (IBM) > anonymous morphed into Michael Stiefel > anonymous morphed into Kurt Roemer > Kurt Roemer morphed into Kurt Roemer (Citrix) > anonymous morphed into Dan Perry (Skyworth TTG) > anonymous morphed into Ross J. Micheals (NIST) > anonymous morphed into DaleMoberg > Siddharth Bajaj: Siddharth Bajaj (VeriSign) is on the call... > anonymous morphed into John Dilley (Akamai) > anonymous1: Meeting Attendees > Name Company Status > John Dilley Akamai Technologies > Mark Robinton HID Global > Robert Cope Homeland Security Consultants > Matthew Rutkowski IBM > Gershon Janssen Individual > Michael Stiefel* Individual > Thomas Hardjono M.I.T. > Anthony Nadalin Microsoft Corporation > Patrick Harding Ping Identity Corporation* > Anil Saldhana Red Hat > Ricardo Ushizaki Serasa S.A. > Daniel Perry Skyworth TTG Holdings Limited > Tom Clifford Symantec Corp.* > Darren Platt Symplified > Travis Yoes Symplified > Kyle Austin TriCipher, Inc. > Jerry Smith US Department of Defense (DoD)* > Brian Marshall Vanguard Integrity Professionals > Siddharth Bajaj VeriSign > Daniel Turissini WidePoint Corporation > anonymous1: Voting Members: 14 of 24 (58%) (used for quorum calculation) > anonymous2 morphed into AnilSaldhana(RedHat) > AnilSaldhana(RedHat): You can mute with *6 > Matt Rutkowski (IBM): I heard the following explicit examples given during the use case description: > Workforce - Active Directory > Business - Sharepoint, push control back to partners (Access control) > Customer - SaaS vendor like "Workday", Windows Live mentioned as well > Wanted to make sure the meeting minute reflected some of these examples as we further develop the them. > anonymous morphed into Travis Yoes > > ____________________________________________ >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]