What is the prima facie definition of "enterprise" in the charter for IPSIE?

[sbroddy]

The name of the IPSIE working group is an acronym for "Interoperability Profiling for Secure Identity in the Enterprise".

What is the Prima Facie definition of "Enterprise" in the name of this working group? How does IPSIE define "Enterprise"?

Is a US federal agency such as NASA an "enterprise"? Is an institution of higher education an "enterprise"? Is a company like Boeing an "enterprise"?

We need clear definitions of exactly what an enterprise is defined as.

[dhs-BI]

As with most things in identity, if you ask three of us to define something, you'll likely receive 5+ different answers. ;-)

In a nutshell, I define enterprises as corporations - everything from small businesses (<50 people) to million+ person employers (e.g. Amazon). These are not generally government institutions or higher ed, though many of the concepts we discuss and document might apply to their organizations, as well. Further, the work in IPSIE is focused on the users within the enterprise, not the customers.

For the purposes of the WG, the consumer of our profiles will determine whether they are an enterprise and the profiles meet or exceed their needs. We cannot put every organization into a neat little bucket, nor should we try. As a WG, our goals should be aligned with providing the maximum benefit to a broad array of enterprises - however they are defined - without attempting to solve every problem for every organization.

This is my perspective and it may not align with others' definitions of an enterprise. I welcome others to weigh in with their own definitions.

[seanmillerrsa]

Agreed on the enterprise definition. For IPSIE, what is important is what these organizations need:

• process to onboard employees
• granting access to applications/resources
• process around forgotten/recovery/stolen authentication "devices" (including passwords here)
• process to terminate employees

Signals produced from various layers in the stack should help with these main needs. For example, a signal that a user has indicated a device has been forgotten/lost/stolen should lead to a signal that various layers may react to. Some layers may look for active sessions and end them while other layers might attempt to see if there is current activity for that user and raise a flag.

[aaronpk]

Thanks @seanmillerrsa I like the way you phrased that. This actually sounds like a good list of an initial set of use cases/outcomes to solve.

[sbroddy]

I'll be the contrarian to the definitions that have been offered so far and say that I personally would define it as the 1st definition of Merriam-Webster's take on the matter.

That said, a clear understanding of how this working group defines enterprise is important for scoping what is in or out of scope of this working group.

[topperge]

Is there a reason we wouldn't address B2B Federation use cases as part of the IPSIE charter? I'm seeing more and more Enterprises federate with their business and industry partners. That bridge with just-in-time or otherwise provisioned accounts is one of the most painful pieces.

[dhs-BI]

@topperge The charter outlines what we thought was in scope as a way to get the WG off the ground. B2B federation is not explicitly in the charter, nor is it explicitly out of scope. I suggest that we keep it in mind as a potential workstream.

[dhs-BI]

We've defined the term here. Do we need to do further edits to define "enterprise", or have we reached consensus on this definition?

[aaronpk]

It sounds like there is still some tweaking of the definition needed based on the discussion in the previous call https://github.com/openid/ipsie/wiki/2025%E2%80%9001%E2%80%9007

[dhs-BI]

Added some additional definition in #33. I won't be on tomorrow's call so I will check the notes for any further discussion.

[Russell-Allen]

The challenge with defining "Enterprise" is that its colloquial meaning is changing. The antiquated definition of a single corporate entity doesn't fit today's collaborative and integrated businesses.

I prefer to think of "the enterprise" as a role that, in the context of IPSIE, means the party (or parties) driving the security concerns; they are setting the minimum compliance levels across the ecosystem.

I purposefully avoid implying that the holder of this role owns one or more specific OIDC entities, such as the IdP, AP, RP, etc.

As a modern SaaS/PaaS vendor, we own the RP and AP and federate Identity management. Quite often, I find that customers either want us to provide account management for them or federate to a social IDP like Google. More to my point, these customers are more interested in completing the integration and rely on us to ensure it is secure, even though they ostensibly own the IDP. We are the party driving the security concern.

[aaronpk]

I like the idea of constraining the definition to the context of IPSIE. We don't need to boil the ocean here with the perfect definition of enterprise.