Consider "inactivity" in Identity Management requirements / levels

[ameyah]

"Staleness" of SaaS accounts (or entitlements / roles / privileges) may be helpful in lifecycle governance in an organization. Some apps offer this capability through custom APIs / native app portals, but is not consistent.

Proposal - app communicates "last use" timestamp to IdP per account / entitlement pair.

[dhs-BI]

As we discussed on this morning's call, this is an interesting idea. The RP is the only system that would have a definitive "last used" date for a user.

Since IPSIE is trying to profile existing standards rather than create new standards, our charter says that we'll try to find a home for any non-standardized functionality before considering adding it to the IPSIE WG scope. Is there an existing standards WG where this kind of metadata and related APIs could be standardized?

This kind of signal might be appropriate for the SSF working group to consider. @openid/wg-sharedsignals-chairs can you please take a look at this issue and let us know if this fits in the SSF WG existing/future workstreams.