Skip to content

Update ipsie-levels.md #37

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

Update ipsie-levels.md #37

wants to merge 1 commit into from

Conversation

@2MarkMaguire
Copy link

@2MarkMaguire 2MarkMaguire commented Jan 15, 2025

Updated level definitions for lifecycle management.

@2MarkMaguire
Update ipsie-levels.md
6806431 
Updated level definitions for lifecycle management.
dhs-BI
dhs-BI reviewed Jan 17, 2025
View reviewed changes
ipsie-levels.md
| Provisioning | JIT provisioning from SSO | App MUST allow users to be provisioned by the IdP before they sign in | Same as P2 |
| Deprovisioning | None | App MUST allow users to be deprovisioned by the IdP | Same as P2 |
| Entitlements | None | None | Group provisioning and deprovisioning from IdP to app |
| Meta Data Updates | None | None | Account metadata can be updated from the IdP |
Copy link

@dhs-BI dhs-BI Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd like to discuss this further on the next call to understand the motivation behind changes from group provisioning to metadata provisioning. In my mind these are not equivalent concepts and may not capture the intent of provisioning users and groups at the RP.

Copy link
Author

@2MarkMaguire 2MarkMaguire Jan 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On last call there was a discussion about moving from 3 groups to 2. After rewriting the decision for group 2 I thought about omitting group 3, but then decided to include this to see the group's thoughts.

dhs-BI
dhs-BI reviewed Jan 17, 2025
View reviewed changes
ipsie-levels.md
### IPSIE Provisioning Level P1 - JIT Provisioning

IPSIE Provisioning Level P1 enables the IdP to provision users in the application when they log in via SSO. Users are not expected to exist in the application prior to the user logging in for the first time.
IPSIE Provisioning Level P1 enables the IdP to provision users in the application when they log in via SSO. Users are not expected to exist in the application prior to the user logging in for the first time. The application must also be configurable to allow an enterprise to restrict users from directly creating an account through an alternate sign-up method (such as "Create Account with Email"). When this restriction is applied, the only mechanism for account creation will be through the enterprise's IAM tools. Additionally, the account which is created through the JIT process must not be overpermissioned. If the IdP does not specify the level of access the user should have during account creation, the new account must be created with the minimum level of application access possible.
Copy link

@dhs-BI dhs-BI Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You have a good point on restricting alternative signup methods that has not been adequately captured elsewhere. I'm not sure this belongs in the category of JIT provisioning, however, it should be considered for these levels.

The permissions are fundamentally business rules. IPSIE should avoid attempts to codify business rules. However, this may be a non-normative part of IPSIE best practices.

dhs-BI
dhs-BI reviewed Jan 17, 2025
View reviewed changes
ipsie-levels.md
### IPSIE Provisioning Level P2 - Pre-Provisioning and Deprovisioning through Groups

Level P2 adds the ability to provision and deprovision users in the application before they have logged in. Prior to level P2, users were only JIT-provisioned in the application as part of SSO.
Level P2 adds the ability to provision and deprovision accounts and an account's access in the application without the user needing to login. Prior to Level P2, users were only JIT-provisioned in the application as part of SSO. Also, the application must support a protocol or provide an interface that allows the IdP to read and edit the access levels of the application's accounts.
Copy link

@dhs-BI dhs-BI Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wouldn't the last sentence be captured by the earlier language on group provisioning/deprovisioning? As written, at P2 IPSIE profiles could support non-standard provisioning interfaces which are contrary to the goals of the profile.

Copy link
Collaborator

@aaronpk aaronpk Jan 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, and just to clarify, these levels should be written without mentioning protocols, but the intent is very much that later we'll make an explicit choice of which protocols to use to accomplish the features at each level.

dhs-BI
dhs-BI reviewed Jan 17, 2025
View reviewed changes
ipsie-levels.md
Level P2 adds the ability to provision and deprovision users in the application before they have logged in. Prior to level P2, users were only JIT-provisioned in the application as part of SSO.
Level P2 adds the ability to provision and deprovision accounts and an account's access in the application without the user needing to login. Prior to Level P2, users were only JIT-provisioned in the application as part of SSO. Also, the application must support a protocol or provide an interface that allows the IdP to read and edit the access levels of the application's accounts.

Additionally, for Level P2, the application must support the ability for all access levels within the application to be "mapped" to access groups within the IdP. The application must also provide a configuration to allow an enterprise to prevent IdP-managed accounts from being given access directly within the application. This will provide the enterprise with an assurance that the identity's group membership within the IdP accurately reflects the level of access the identity's account has within the application.
Copy link

@dhs-BI dhs-BI Jan 17, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not clear how this requirement provides assurance that the IdP and RP are in sync on the group membership. This will most certainly be protocol specific, e.g. the ongoing discussions in SCIM WG on delta queries and cursor based pagination to address known gaps in the ability to implement anti entropy controls with SCIM. (I'm not suggesting SCIM must be used, this is an example only).

dhs-BI
dhs-BI reviewed Jan 17, 2025
View reviewed changes
Copy link

@dhs-BI dhs-BI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Let's discuss this on the next call. There are some interesting threads to pull on here .
I have concerns about moving P3 from group provisioning to metadata provisioning and wish to understand this better.

@dhs-BI
Copy link

dhs-BI commented Jan 29, 2025

With #41 being merged this morning, and the discussion on the call on January 28, how would we like to handle this PR? @2MarkMaguire is there something remaining in this PR that we should pull forward into the ipsie-levels?

@dhs-BI
Copy link

dhs-BI commented Feb 4, 2025

Given the recent updates, is there anything in this PR that needs to be pulled forward into the latest version? If not, I suggest we close the PR without merging. @aaronpk and @2MarkMaguire, what do you think?

@2MarkMaguire
Copy link
Author

2MarkMaguire commented Feb 4, 2025

Levels updated by Dean's PR, closing this one.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aaronpk aaronpk aaronpk left review comments

+1 more reviewer

@dhs-BI dhs-BI dhs-BI left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@2MarkMaguire @dhs-BI @aaronpk