2025‐09‐09

IPSIE WG Meeting Minutes

Date: 2025-09-09

Attendees

• Aaron Parecki (Okta)
• Dean H. Saxe (self)
• Buster Doney
• Jon Bartlett (Zscaler)
• Sean Miller (RSA)
• Kenn Chong (RSA)
• Dick Hardt
• Shannon Roddy
• George Fletcher
• Sarah Cecchetti
• Karl McGuinness
• Travis Tripp
• Bertrand Carlier
• Qinglan Gao (RSA)

Agenda

• Welcome and antitrust policy reminder https://openid.net/policies/

• OpenID Contributor Agreement reminder https://openid.net/intellectual-property

• Reminder about OpenID Slack

• Community Events

  • OAuth Working Group interim meetings in September
  • Identity Fabric - Dick https://www.kuppingercole.com/events/ifid2025/agenda#1
  • Identity Week DC, Sep 10-11 - George
  • IPSIE panel at Oktane - Sep 25-26
  • Authenticate, October 13 - 15 in Carlsbad, CA
  • IIW XVI October 21 - 23 in Mountain View, CA
    • https://www.eventbrite.com/e/internet-identity-workshop-iiwxli-41-2025b-tickets-1393125719529?aff=oddtdtcreator
  • IETF 124, November 1 - 7 in Montreal, Canada

• Interop Event Planning

  • Date confirmed Thursday, January 22nd, 2026 at Okta HQ San Francisco

• Call for adoption of SCIM IL1 Profile ongoing, ends Sep 22

• Interop Testing Checklist

  • https://github.com/openid/ipsie/blob/e71ca02d306590f6a3ba817515c6289a7d87378d/2026-01-interop-testing.md

• Discuss in scope/out of scope issues for interop event

  • All issues that have not been deferred to a later date or assigned to SL2/3

• AOB

Notetaker: Dean H. Saxe

Notes:

• Notewell, antitrust
• community events
• SCIM IL1 - call for adoption in progress, please respond via the mailing list so we can move this forward
• Interop planning
  • SL1 interop in January
  • How do we demonstrate IdPs/RPs working together?
    • finish SL1 requirements
    • define how we demonstrate interoperability
    • we do not have time to build conformance tools ahead of the interop, we hope to do that in 2026
    • We need to define processes to demo interop between arbitrary IdPs and RPs
    • Aaron started a doc on github for interop testing - https://github.com/openid/ipsie/pull/109
      • need a plan for what we'll demo and how
      • The IdP and RP need to score the partner system ability to meet the requirements
    • Dean - we need to show interop, but more importantly we need to show community support/alingment to IPSIE SL1
    • Kenn - do we need to bring a prod IdP/RP?
      • No. Dev is fine
    • Sarah - connecting services is not exciting, how can we make this more interesting than, "this works"? Have we considered demonstrating an IdP tenant switching to another IdP if all IdPs and RPs are at a given IPSIE level?
      • Aaron: show that we're meeting the security goals of IPSIE at SL1 and features (e.g. app specific session lifetime set from the IdP's assertion
      • Dean: Show community support
      • Sarah: How do we deliver a better north star? Discuss at IIW
    • Karl: IdPs participating?
      • Aaron: No signup yet
      • Karl: interop value is showing a typical enterprise app configured to meet the specific outcomes at SL1
      • Aaron: different IdPs will have diff. config options
      • Karl: Not sure this will motivate people. Problem is that things are too configurable.
      • Aaron: Many of the features are turning off specific behaviors, which is hard to see at an interop. We might need to spend more time to create a fake RP to test the negative cases of the IdP. e.g. IDP rejects response_type token/id_token/code id_token)
      • Karl: Is there enough value in SL1 to test at an interop? Do we need to add IL1? SL2?
      • Dean: good question, what does the community think?
      • Dick: Not interesting for me to go to the interop at this level. Compliance test is probably more useful at this time. Dick likes the goal to show momentum, but if we have a small interop, it could backfire. What useful things can we do if we're all together?
      • JonB: Need better use cases before I can get approval to attend, get dev resources.
      • Karl: convincing RPs to invest in IPSIE is key, how do we convince them? How do we get code into live apps? Karl isn't seeing that right now. How do we generate interest?
      • Buster: need to define a "why" for the IL1/SL1 for RPs to come to the table. Why would an RP want to meet SL1?
      • George: doesn't know if an RP cares about SL1 unless the enterprise customer of the RP demands compliance at SL1. We need to figure out how to get enterprises/CISO org to participate with us to discuss their pain points from an integ perspective.
      • Dean: I see a few enterprise deployers here, but how do we get more?
      • George: Talk about this at Oktane, ask deployers who are experiencing issues to come join the WG. Personal contacts, as well. If deployers only care about SL2+ that gives us direction
      • Kenn: SL1 speaks to me as an RP because I want to ensure that sessions don't remain open longer than desired, this is a security win.
      • Karl: Chicken and egg problem. Is there a way to map to existing SaaS threat models/known attacks? Can we show how IPSIE reduces known real world threats? We haven't spent much time on this yet. Lacking a clear message on our roadmap and how that can be consumed by CISOs. Figure out how IPSIE maps into how CISOs map out risks. See https://github.com/pushsecurity/saas-attacks
      • Sarah: NIST FALs.
      • Travis: How do you discover gaps between your implementation and the forthcoming standards? Decisions are driven in his business by customer demand. Can we get customer endorsements from enterprises?
      • Side note: we have very few enterprise reps at the table in IPSIE
      • Kenn: In the levels, we need to define the value of the requirements at each level. e.g. SL1 minimizes the risk of session hijacking.
      • Sean: Likes the value column idea. How do we drive adoption? RSA has to support all potential apps out there, so IdPs work in some ways as a compliance checking tool. What's missing in the RP to achieve SL* based on the current config? Can we use this to identify misconfigs?
      • Jon: Interoperability is challenging from an RP standpoint. Jon's focus is really on SL2 compliance.
      • Bertrand: As a consultant deploying in enterprises, IPSIE will reduce the time required to securely configure IdP/RP. Tie the levels to value for the IdP/RP to communicate with CISOs with clarity.
      • Shannon: Potential blindspot: how do we communicate from RP to IdP that the IdP is IPSIE compliant? An IdP needs to work with IPSIE compliant and non-compliant RPs?
      • Aaron: Pairwise config meets or does not meet IPSIE compliance. But this is not dynamic today. Can you file an issue on this, Shannon?
      • Shannon: Yes
      • Karl: A different approach is to start from the hardest use case (SL3) to show what's different from today, then show them SL1/2 as the path to get there.
      • Jon: Good idea, being able to see the end state is important.
      • Karl: Show the full set of security controls, build demand for it, then create adoptable profiles.
      • Bertrand: likes this approach, but we need to define the steps to get there. Value oriented from each step (SL*, IL*)