Re: [saml-dev] Any common identity creation profile?

["Cantor, Scott" <cantor.2@osu.edu>]

On 3/29/12 6:36 PM, "Will Hartung" <willh@mirthcorp.com> wrote:
>
>The issue we have is that there's no way for an administrator of the
>local application to do any provisioning of users before they log in
>because the application has never seen the user before.

>So, we want to create a process to push identities out to the compatible
>applications, so that will be possible.

How would an administrator of a local application have any access to the
IdP to do this, and how would he/she signal which user(s) were meant?

And is it really efficient to do this one at a time?

I think SPML was meant to be the way to wrap SAML-based representations of
users for more efficient push operations like that. Using assertions just
doesn't map well to any notion of provisioning in bulk.

>My question is simply if there's an existing profile in common use I
>could leverage already, and/or any pointers on how to leverage a SAML
>assertion in my own payload. Can I simply make my own RequestType that
>extends RequestAbstractType, and add an Assertion element to the request?
>Is that the best way to do this?

There was a ChangeNotify protocol proposal that probably has some overlap
with something you're thinking of. It essentially signals that some
protocol flow is available, push or pull, to move user data around.

I suppose industry-wise, there's SCIM, which doesn't seem much more than a
reinvention of batch feeds to me, but I'm sure others will advocate for
that.

-- Scott