From nobody Wed May 3 12:07:03 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4FBFB129B9A for ; Wed, 3 May 2017 12:07:01 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -4.3 X-Spam-Level: X-Spam-Status: No, score=-4.3 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=okta.com header.b=oLm+K9zP; dkim=fail (1024-bit key) reason="fail (body has been altered)" header.d=oktainc.onmicrosoft.com header.b=H47oO4+s Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cVT3J-XbK07R for ; Wed, 3 May 2017 12:06:57 -0700 (PDT) Received: from us-smtp-delivery-163.mimecast.com (us-smtp-delivery-163.mimecast.com [216.205.24.163]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id BD722127B5A for ; Wed, 3 May 2017 12:04:56 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=okta.com; s=mimecast20140813; t=1493838295; bh=3jKSm4+Si7BMHFv/NNGxebXcu0bMlYcQ1T2SzN8Cm84=; h=From:To:Subject:Date:Message-ID:References:In-Reply-To:MIME-Version:Content-Type; b=oLm+K9zPpHEMWoDdB4NFFNO/UkDR1a0kq6XlHWpuDSS0r8tujLtKTEd/B0iIY6tuZsNTimzwy1qyt+QQ7Xg2YB9jo42ZUuYP5ZVzlLDS+hQHKlrd4X0KdJz1J7n/17zS0XROM6blx+W+aC5tgATAzgrgVO0V3E641a074IjYsg8= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oktainc.onmicrosoft.com; s=selector1-okta-com; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=OG6pnNNgyl1FNymJxckrPRlLf+X2q5N8s4MHn72Farc=; b=H47oO4+s7lrhxRXJsMquEeARAQVqTm5sdNtlAaNU+rhenOWOWPdIyeaa6/NIPTxnOPlGicp0Mchl3gTRHJ/pgwnOF8MuHKeFVEOg7PpS3f7EFUb7XHUyA56GrOx5R215KC886Dyw4Zw554kUZs3cMT2gwX2VN0z6LLr6kMcRWXs= Received: from NAM01-BN3-obe.outbound.protection.outlook.com (mail-bn3nam01lp0176.outbound.protection.outlook.com [216.32.180.176]) (Using TLS) by us-smtp-1.mimecast.com with ESMTP id us-mta-177-gWcFgb6rOFmGGegsgHjG2Q-1; Wed, 03 May 2017 15:04:53 -0400 Received: from CY1PR0501MB1804.namprd05.prod.outlook.com (10.163.141.142) by CY1PR0501MB1801.namprd05.prod.outlook.com (10.163.141.14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256) id 15.1.1084.7; Wed, 3 May 2017 19:04:52 +0000 Received: from CY1PR0501MB1804.namprd05.prod.outlook.com ([10.163.141.142]) by CY1PR0501MB1804.namprd05.prod.outlook.com ([10.163.141.142]) with mapi id 15.01.1075.010; Wed, 3 May 2017 19:04:52 +0000 From: Kevin Gough To: "scim@ietf.org" Thread-Topic: Latest Okta blog post: SCIM: Picking Up Tailwinds Thread-Index: AQHSv6A7siYn6hKjYEC8weaQ/w+Ea6Hi/3wi Date: Wed, 3 May 2017 19:04:52 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [12.97.85.90] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; CY1PR0501MB1801; 7:Q+zbbzO79qpJrllyk67SOZYu6KR6b8iuN+pIaaNCn8YFMpWayRO4IcwyAQfIgHG6Iu0fEXuu2e5yUJ2NXUHxSlXUlz9DYvzZPHzlAWJZNDumiHoMjQYSyh8KIPWKzQEc/Gcj6L04BlRLoM6XWRD+l91IYO9bHCaWBRaCoy0ZEVBBlb02qtbD5G/2ZYsZooECqM9+/SfvP1nQHh5L1uz/0E4OzNhP/Zl27nS0dxJ36ltS6tURn1yxsWNZB9khLFuaiwza3VGf5tZ5/i5sJaiBvH7xCT3fOdYFXll/Tt6ZtZUYNEiQYqPskrtrMoqdJOoLcy6sx8rVuTfFE+L3gs7DrQ==; 20:Qtzwhp8ach//ASeGXMnv9SJn/beHkhOGhrVwuAcr6OvVeaqTkykCnEEzA9Naw7rF9wXKINkhfPmgpcyErFRCMI+BV7Ja8IKgji3W0LQKr1KWWu5hU0+SsUJAvS+siimUBLg8JSaDRbkO164EyMm3UeYwodbb8skwMb7/v5l8n78= x-ms-office365-filtering-correlation-id: a114ba10-500b-4864-fea1-08d49257477c x-microsoft-antispam: UriScan:; BCL:0; PCL:0; RULEID:(22001)(2017030254075)(201703131423075)(201703031133081); SRVR:CY1PR0501MB1801; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(100576887044181)(166708455590820)(179546880041079)(209352067349851)(208905430912673)(1608367306537)(60067363179207)(128460861657000)(211936372134217)(28103392795679); x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040450)(601004)(2401047)(5005006)(8121501046)(93006095)(93001095)(3002001)(10201501046)(6041248)(201703131423075)(201702281528075)(201703061421075)(201703061406153)(20161123558100)(20161123562025)(20161123555025)(20161123560025)(20161123564025)(6072148); SRVR:CY1PR0501MB1801; BCL:0; PCL:0; RULEID:; SRVR:CY1PR0501MB1801; x-forefront-prvs: 029651C7A1 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(39450400003)(39400400002)(39410400002)(39850400002)(39840400002)(377454003)(110136004)(2351001)(38730400002)(19627405001)(6506006)(3660700001)(74316002)(77096006)(86362001)(6306002)(54896002)(9686003)(53936002)(733005)(6436002)(606005)(55016002)(99286003)(5640700003)(236005)(7736002)(76176999)(7906003)(50986999)(54356999)(102836003)(6116002)(2906002)(3846002)(3280700002)(5660300001)(189998001)(122556002)(6606003)(478600001)(1730700003)(8936002)(2900100001)(33656002)(5002510100001)(8676002)(81166006)(7696004)(2950100002)(6916009)(25786009)(2501003)(7066003)(15940465004); DIR:OUT; SFP:1102; SCL:1; SRVR:CY1PR0501MB1801; H:CY1PR0501MB1804.namprd05.prod.outlook.com; FPR:; SPF:None; MLV:sfv; LANG:en; spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM MIME-Version: 1.0 X-OriginatorOrg: okta.com X-MS-Exchange-CrossTenant-originalarrivaltime: 03 May 2017 19:04:52.3547 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: f1f9fcc4-c616-4261-8a82-855dc9cb8486 X-MS-Exchange-Transport-CrossTenantHeadersStamped: CY1PR0501MB1801 X-MC-Unique: gWcFgb6rOFmGGegsgHjG2Q-1 Content-Type: multipart/alternative; boundary="_000_CY1PR0501MB18044A1BDFF6A2B7485E4F5187160CY1PR0501MB1804_" Archived-At: Subject: [scim] Latest Okta blog post: SCIM: Picking Up Tailwinds X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 03 May 2017 19:07:01 -0000 --_000_CY1PR0501MB18044A1BDFF6A2B7485E4F5187160CY1PR0501MB1804_ Content-Type: text/plain; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable We recently published a blog post highlighting ISV progress with SCIM. We're also running a free online SCIM training for ISV developers on May 30= , 10 - 4 PM PT. Sign up - Kevin Gough, Director of Product= Marketing @ Okta (Full post: https://www.okta.com/blog/2017/04/scim-picking-up-tailwinds/) SCIM: Picking Up Tailwinds We=92re a year into our SCIM provisioning developer program, and we=92re ha= ppy to report that many top SaaS vendors are starting to adopt the SCIM sta= ndard. As an Okta customer, that means you can automate user onboarding and= offboarding across more apps than ever, saving IT time and increasing secu= rity. We=92ve also added support for better group management of SCIM-enable= d apps, including group push and mastering via Okta, that can make these in= tegrations even more useful. Leading apps support SCIM Some of the fastest-growing apps in our latest Businesses at Work report, like = Lucidchart and Envoy, were the first to adopt SCIM as they needed a way to = quickly onboard all their new customers. Now, we=92re seeing adoption from = SaaS veterans and newcomers alike: * Asana is the easiest way for teams to track their= work=97and get results. (Configuration guide) * Workiva is a collaborative work management = platform for enterprise finance, accounting, compliance, and operations tea= ms. (Configuration guide) * SpaceIQ helps fast-growing companies manage = their workplace with fewer resources and less time. (Configuration guide) * Proxyclick helps create positive connect= ions with office visitors and contractors that last long after their sign i= n. (Configuration guide) * Github.com is a development platform where you c= an host and review code, manage projects, and build software alongside mill= ions of other developers. (Configuration guide) You can add and configure these apps from the Okta Application Network (OAN) catalog in your Okta admi= n interface. Early access to more SCIM apps Moving forward, we=92re changing the software vendor-built SCIM integration= approval process with the goal of giving Okta customers access to SCIM int= egrations sooner. Here=92s the updated process: 1. The software vendor and Okta complete initial QA of the app 2. The vendor identifies an initial beta customer they=92ll work with to= address any outstanding issues 3. We make the app available in a Community Verified, Beta state to all = customers 4. Once the initial beta customer has validated the integration, we grad= uate the app to Okta Verified You can keep tabs on which apps are available in Beta by reading Okta=92s p= roduct release notes. Our latest SCIM update: Group management [Group Mastering v2.jpg] With this update, we=92ve added the #1 most-requested feature: group push a= nd group mastering. Now, you can automatically manage groups in your SCIM-e= nabled app directly from existing groups in Okta, AD, G Suite, and other sy= stems of record. With group push, you can provision groups from Okta into a= n application and master their memberships going forward. With group master= ing, you can also link to and assume management of an existing group within= an application. We=92ve launched Early Access support for group mastering = for Box and G Suite. Review developer docs. Join us for a free training session on the SCIM protocol and how to build a SCIM-based pr= ovisioning integration for your apps. SCIM training session details: Date: May 30, 2017 Time: 10:00 AM - 4:00 PM Pacific Time Location: WebEx Virtual Classroom Instructor: Chris Barry, Principal Technical Instructor Cost: Free Sign up --_000_CY1PR0501MB18044A1BDFF6A2B7485E4F5187160CY1PR0501MB1804_ Content-Type: text/html; charset=WINDOWS-1252 Content-Transfer-Encoding: quoted-printable

We recently published a blog post highlighting ISV progress wi= th SCIM. 

We're also running a free online SCIM training for ISV develop= ers on May 30, 10 - 4 PM PT. Sig= n up 


Kev= in GoughDirector of Product Marketing @ Okta


(Full post: https://www.okta.com/blog/201= 7/04/scim-picking-up-tailwinds/)



SCIM: Picking Up Tailwinds

We=92re a year into our SCIM provisioning developer program, and we=92re ha= ppy to report that many top SaaS vendors are starting to adopt the SCIM sta= ndard. As an Okta customer, that means you can automate user onboarding and= offboarding across more apps than ever, saving IT time and increasing security. We=92ve also added support for bet= ter group management of SCIM-enabled apps, including group push and masteri= ng via Okta, that can make these integrations even more useful.

Leading apps support SCIM

Some of the fastest-growing apps in our latest Businesses at Work report, like Luc= idchart and Envoy, were the first to adopt SCIM as they needed a way to quickly onboard all their new customers. Now,= we=92re seeing adoption from SaaS veterans and newcomers alike:

  • Asana is the easiest way for teams to track their work=97a= nd get results. (Configuration guide)

  • Workiva is a collaborative work management platform = for enterprise finance, accounting, compliance, and operations teams. (Configuration guide)

  • SpaceIQ helps fast-growing companies manage = their workplace with fewer resources and less time. (Configura= tion guide)
  • Proxyclick helps create positive connect= ions with office visitors and contractors that last long after their sign i= n. (Configuration guide)
  • Github.com is a development platform where you c= an host and review code, manage projects, and build software alongside mill= ions of other developers. (Configuration guide)

You can add and configure these apps from the Okta Application Network (OAN) catalog in your Okta ad= min interface.

Early access to more SCIM apps

Moving forward, we=92re changing the software vendor-built SCIM integration= approval process with the goal of giving Okta customers access to SCIM int= egrations sooner. Here=92s the updated process:
 

  1. The software vendor and Okta complete initial QA of the app

  2. The vendor identifies an initial beta customer they=92ll work with to addre= ss any outstanding issues

  3. We make the app available in a Community Verified, Beta state to all custom= ers

  4. Once the initial beta customer has validated the integration, we graduate t= he app to Okta Verified
     

You can keep tabs on which apps are available in Beta by reading Okta=92s produ= ct release notes.

Our latest SCIM update: Group management

3D"Group

With this update, we=92ve added the #1 most-requested feature: group push a= nd group mastering. Now, you can automatically manage groups in your SCIM-e= nabled app directly from existing groups in Okta, AD, G Suite, and other sy= stems of record. With group push, you can provision groups from Okta into an application and master their me= mberships going forward. With group mastering, you can also link to and ass= ume management of an existing group within an application. We=92ve launched= Early Access support for group mastering for Box and G Suite. Review developer docs.

Join us for a free tr= aining session on the SCIM protocol and how to build a SCIM-based = provisioning integration for your apps.

SCIM training session details:
Date: May 30, 2017
Time: 10:00 AM - 4:00 PM Pacific Time
Location: WebEx Virtual Classroom
Instructor: Chris Barry, Principal Technical Instructor
Cost: Free
Sign up



--_000_CY1PR0501MB18044A1BDFF6A2B7485E4F5187160CY1PR0501MB1804_-- From nobody Sun May 7 14:50:02 2017 Return-Path: X-Original-To: scim@ietfa.amsl.com Delivered-To: scim@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DDE212773A; Sun, 7 May 2017 14:49:53 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -1.021 X-Spam-Level: X-Spam-Status: No, score=-1.021 tagged_above=-999 required=5 tests=[BAYES_50=0.8, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_MED=-2.3, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RCVD_IN_SORBS_SPAM=0.5, RP_MATCHES_RCVD=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QiKm96_fAqNJ; Sun, 7 May 2017 14:49:52 -0700 (PDT) Received: from aserp1040.oracle.com (aserp1040.oracle.com [141.146.126.69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CFB5126B7F; Sun, 7 May 2017 14:49:50 -0700 (PDT) Received: from userv0022.oracle.com (userv0022.oracle.com [156.151.31.74]) by aserp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id v47Lnlbu014621 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 7 May 2017 21:49:48 GMT Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0022.oracle.com (8.14.4/8.14.4) with ESMTP id v47Lnk0h001186 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Sun, 7 May 2017 21:49:47 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id v47LnknK022473; Sun, 7 May 2017 21:49:46 GMT Received: from [10.0.1.7] (/24.86.190.97) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Sun, 07 May 2017 14:49:46 -0700 From: Phil Hunt Content-Type: multipart/alternative; boundary="Apple-Mail=_76C4B00E-8E65-49CE-B103-85C8304D3B12" Mime-Version: 1.0 (Mac OS X Mail 10.3 \(3273\)) Message-Id: Date: Sun, 7 May 2017 14:49:44 -0700 Cc: Kathleen Moriarty , "scim@ietf.org WG" To: ID Events Mailing List X-Mailer: Apple Mail (2.3273) X-Source-IP: userv0022.oracle.com [156.151.31.74] Archived-At: Subject: [scim] Plan for distribution draft for IETF99 Prague X-BeenThere: scim@ietf.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Simple Cloud Identity Management BOF List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 07 May 2017 21:49:53 -0000 --Apple-Mail=_76C4B00E-8E65-49CE-B103-85C8304D3B12 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 Hi all, Marius and I have been doing a lot of discussion since the last IETF = meeting and with various folks. Going forwards, Marius and I plan to do the following: 1. Data Plane - The distribution draft will be cut down to cover the = data plane - delivery of events (ietf-hunt-secevents-delivery). It will = be expanded to include polling of one or more events via HTTP GET to = address firewall use cases. Marius and I believe there is reasonably consensus on this (though some = are confused). The distribution draft will cover all cases from SCIM, = RISC, and Backchannel Logout.=20 The Data plane will define and describe the Verification event, how it = is used and validated for both push and poll. The spec will not cover = how or when a transmitter decides to initiate verification as this is = assumed to be part of the control plane. Important: The data plane is not and will not be based on SCIM. The objective of this draft is to allow near term implementation and = piloting to move forward.=20 Monitoring and automated provisioning will be part of a new draft=E2=80=A6= . 2. Control Plane - new alternate proposal Marius has offered to produce a new draft (e.g. = ietf-scurtescu-secevent-stream-mgmt) as a brand new Control Plane = proposal. Since part of the problem with the original proposal was a lack of = consensus on the requirements for the control plane, I would encourage = discussion on the features of the control plane now. For example: * How a stream is registered/defined (CREATE) * How a stream is validated (verification) * How a stream is monitored including indication of transmission = problems (READ) * How a stream configuration can be updated (e.g. credential rotation = or endpoint change) (UPDATE) * How a stream can be paused or stopped (UPDATE) * How to delete a stream- (DELETE) * Meta data including issuer and receiver public key sets (e.g. = jwks_Uri) * Some generic discussion of credentials for HTTP authentication * =46rom a data perspective: - what event types are in a stream? - what subjects are part of a stream and how are they managed (see = use cases) - how is this modelled and managed? - can a receiver inquire if a subject is enrolled? - what are the different identifiers that can be used: subject, = email, telephone, etc? * How is the control api extensible to support the various profiling = specs that will use the SEC EVENTS control plane draft? ps. I am stepping down from participating as an author or editor in the = control plane draft going forwards. Regards, Phil Oracle Corporation, Identity Cloud Services Architect & Standards @independentid www.independentid.com = phil.hunt@oracle.com = --Apple-Mail=_76C4B00E-8E65-49CE-B103-85C8304D3B12 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=utf-8
Hi all,

Marius and I have been doing a lot of = discussion since the last IETF meeting and with various folks.

Going forwards, Marius = and I plan to do the following:

1.  Data Plane - The distribution = draft will be cut down to cover the data plane -  delivery of = events (ietf-hunt-secevents-delivery). It will be expanded to include = polling of one or more events via HTTP GET to address firewall use = cases.

Marius = and I believe there is reasonably consensus on this (though some are = confused). The distribution draft will cover all cases from SCIM, RISC, = and Backchannel Logout. 

The Data plane will define and describe = the Verification event, how it is used and validated for both push and = poll. The spec will not cover how or when a transmitter decides to = initiate verification as this is assumed to be part of the control = plane.

Important: The data plane is not and will not be based on = SCIM.

The = objective of this draft is to allow near term implementation and = piloting to move forward. 

Monitoring and automated provisioning = will be part of a new draft=E2=80=A6.

2.  Control Plane - new alternate = proposal
Marius has offered to produce a new draft = (e.g. ietf-scurtescu-secevent-stream-mgmt) as a brand new Control Plane = proposal.

Since = part of the problem with the original proposal was a lack of consensus = on the requirements for the control plane, I would encourage discussion = on the features of the control plane now.

For example:
* =  How a stream is registered/defined (CREATE)
*  How a stream is validated = (verification)
*  How a stream is monitored = including indication of transmission problems (READ)
*  How a stream configuration can be updated (e.g. = credential rotation or endpoint change) (UPDATE)
* =  How a stream can be paused or stopped (UPDATE)
*  How to delete a stream- (DELETE)
*  Meta data including issuer and = receiver public key sets (e.g. jwks_Uri)
* =  Some generic discussion of credentials for HTTP = authentication
*  =46rom a data = perspective:
   - what event types are in = a stream?
   - what subjects are part of = a stream and how are they managed (see use cases)
   - how is this modelled and managed?
   - can a receiver inquire if a subject is = enrolled?
   - what are the different = identifiers that can be used: subject, email, telephone, etc?
* How is the control api extensible to support the various = profiling specs that will use the SEC EVENTS control plane = draft?

ps.= I am stepping down from participating as an author or editor in the = control plane draft going forwards.

Regards,

Phil

Oracle = Corporation, Identity Cloud Services Architect & Standards
@independentid
www.independentid.com
phil.hunt@oracle.com

= --Apple-Mail=_76C4B00E-8E65-49CE-B103-85C8304D3B12--