Skip to content

first draft of IPSIE levels #26

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Dec 17, 2024
Merged

first draft of IPSIE levels #26

merged 4 commits into from
Dec 17, 2024

Conversation

@aaronpk
Copy link
Collaborator

@aaronpk aaronpk commented Dec 17, 2024

I tried to create levels where each incremental level adds new capabilities that benefit the customer. I intentionally focus on capabilities without mentioning specifications yet.

I am much less confident about the particulars of how the higher levels are defined compared to the earlier levels, but this is hopefully a place to start the discussions.

@aaronpk
Copy link
Collaborator Author

aaronpk commented Dec 17, 2024

You can preview the rendered table here:

https://github.com/openid/ipsie/blob/6cae62fdc4423e53ef4d7592530fd3dc62afdc55/ipsie-levels.md

ttripp
ttripp reviewed Dec 17, 2024
View reviewed changes
ipsie-levels.md Outdated
| Single Sign-On | Required (FAL2) | Required (FAL3) | Same as 2 | Same as 3 | Same as 4 |
| MFA | IdP-enforced (app doesn't need to do anything) | IdP communicates MFA level to app. App can request MFA level from IdP | Same as 2 | Same as 3 | Same as 4 |
| Revocation | RP matches session lifetime to assertion lifetime | IdP can terminate sessions for individual users in the app | Same as 2 | Same as 3 | Same as 4 |
| Provisioning | JIT provisioning from SSO | Same as 1 | Users can be provisioned before they sign in | Same as 3 | Same as 4 |
Copy link
Contributor

@ttripp ttripp Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

JIT Provisioning for SSO has both 1) User and 2) User / Group provisioning / Syncing. 1 is typically done. 2 is often another level of maturity and perhaps should be a step up. It starts getting into the questions of source of truth for user group membership when used with SCIM.

Copy link
Contributor

@ttripp ttripp Dec 17, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The "group" question is independent as well.

deansaxe and others added 2 commits December 17, 2024 10:26
@deansaxe @aaronpk
Updated the definition of enterprise company
31977d1 
Clarification on what defines an enterprise.
@aaronpk
split levels into authentication and provisioning vectors
c42832c 
based on the discussion in the Dec 17 WG meeting
@aaronpk
Copy link
Collaborator Author

aaronpk commented Dec 17, 2024

New preview link: https://github.com/openid/ipsie/blob/c42832ccd18042f5065189768d23a11bf0f99f72/ipsie-levels.md

@aaronpk aaronpk requested a review from dhs-BI December 17, 2024 18:28
dhs-BI
dhs-BI approved these changes Dec 17, 2024
View reviewed changes
Copy link

@dhs-BI dhs-BI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@dhs-BI dhs-BI merged commit 9ded241 into openid:main Dec 17, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

2 more reviewers

@ttripp ttripp ttripp left review comments

@dhs-BI dhs-BI dhs-BI approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@aaronpk @ttripp @dhs-BI @deansaxe