2025‐09‐02

IPSIE WG Meeting Minutes

Date: 2025-09-02

Attendees

• Aaron Parecki (Okta)
• Dick Hardt (Hellō)
• Karl McGuinness
• Shannon Roddy
• Bjorn Hjelm
• Mike Kiser (SailPoint)
• Jen Schreiber
• Buster Doney
• Kenn Chong (RSA)
• Jeff Bounds (SailPoint)
• Bjorn Hjelm (Yubico)
• George Fletcher (Practical Identity LLC)

Agenda

• Welcome and antitrust policy reminder https://openid.net/policies/

• OpenID Contributor Agreement reminder https://openid.net/intellectual-property

• Reminder about OpenID Slack

• Community Events

  • OAuth Working Group interim meetings in September
  • Identity Fabric - Dick https://www.kuppingercole.com/events/ifid2025/agenda#1
  • Identity Week DC, Sep 10-11 - George
  • IPSIE panel at Oktane - Sep 25-26
  • Authenticate, October 13 - 15 in Carlsbad, CA
  • IIW XVI October 21 - 23 in Mountain View, CA
    • https://www.eventbrite.com/e/internet-identity-workshop-iiwxli-41-2025b-tickets-1393125719529?aff=oddtdtcreator
  • IETF 124, November 1 - 7 in Montreal, Canada

• Interop Event Planning

  • Date confirmed Thursday, January 22nd, 2026 at Okta HQ San Francisco

• Call for adoption of SCIM IL1 Profile

  • ✅ Need the authors to email the contents of this document to the list in order to start the CFA
  • https://github.com/openid/ipsie/pull/72

• Review open PRs

  • https://github.com/openid/ipsie-openid-sl1/pull/13

• Interop Testing Checklist

  • https://github.com/openid/ipsie/blob/e71ca02d306590f6a3ba817515c6289a7d87378d/2026-01-interop-testing.md

• Discuss in scope/out of scope issues for interop event

  • All issues that have not been deferred to a later date or assigned to SL2/3

• AOB

Notetaker: Jen Schreiber, George Fletcher

Notes:

• Ask WG to review Interop Testing Checklist this week
  • https://github.com/openid/ipsie/blob/e71ca02d306590f6a3ba817515c6289a7d87378d/2026-01-interop-testing.md
  • Goal is concrete and testable statements from the OIDC Profile
  • Separated Idp vs Rp requirement checklist
  • Dick suggested adding clarification for what is pass vs fail is (and include pos and neg tests)
  • George: For the event, is there an expectation that an RP/Idp is written that can do all the pos/neg test cases?
    • Aaron: that is the ideal scenario but might not be realistic by Jan.
  • split the check list into IDP positive, RP positive, IDP negative, RP negative
  • need to test that the insecure mechanisms are not working
  • generally IDPs and RPs showing up to the interop event will be focused on the happy paths
  • shared signals interops focused on the happy paths and then when things failed identify the issues
  • current checklist is very useful for conformance testing; may need to be filtered for the interop
  • Recommendation to focus on the protocol and describe what the expected behavior is
  • WG live edit of the checklist doc to remove the negative tests
  • conformance to TLS 1.2
    • really an IDP requirement - the IDP should not allow TLS connections that are not TLS 1.2 or above
    • if the RP attempts to connect to an IDP using TLS 1.2 and the IDP doesn't support TLS 1.2 or later, the RP should fail the connection
  • focus on the profiled parts of the specs/protocols as that is what is different from today
  • look at messages on the wire to confirm whether the IDP/RP are meeting the profile
  • feedback from shared signals interops
    • Just as an example - linking back to the spec was helpful for all of us - also note that there was a lot less for the receiver than the transmitter
    • 
    • 
  • Aaron updated the checklist to focus on the positive behaviors and spec profiling
  • Recommendation to request conformance tests from the OpenID Foundation
  • an RP running at IPSIE SL1 profile, must fail a response that does not conform to the IPSIE SL1 profile
  • validation of IPSIE profiles in the first interop can be done through debug logs/wire captures.