IdP as a Service Working Group

[Dedra Chamberlin <>]

Hi all,

Thanks for that addition Pål. I mentioned on the call that Cirrus offers both an IdPaaS and an IdPoLR. Our suite also includes a "Proxy". 

With most of our customers who are using our IdPoLR service, they use it with a Proxy in the "upside down" configuration Pål mentioned, and largely to manage things like attribute enrichment, logic around MFA requirements, and inclusion of other identity providers as options in addition to the IdPoLR (social and federated credentials).

Look forward to further discussions.

- Dedra

Dedra Chamberlin   CEO  m: 510.710.1554  e:   w: cirrusidentity.com

On Mon, Sep 23, 2019 at 2:09 PM Nick Roy <> wrote:

Pål’s suggestion follows a pattern that a number of other fed ops are following. +1 to consideration of this, I think it might be the most sustainable approach.

Nick

On 23 Sep 2019, at 11:55, Keith Hazelton wrote:

I'd like to learn more about your trio of services and the upside down IdPaaS as IdPoLR +

Let's find a time for a Zoom session.

            --Keith

---

From: Pål Axelsson <>
Sent: Monday, September 23, 2019 12:35 PM
To: Keith Hazelton <>; <>; Mary McKee <>
Subject: Sv: IdPaaS call today

 

Hi Keith,

 

I’m sorry that I couldn’t attend this evening but there is an interesting possibility to turn your thought upside down. You can build a IdPaaS on top of the IdPoLR and use a proxy service to add attributes for IdPaaS enabled users from an attribute and authorization repository and block other users.

 

In Sweden we’re working on this with our three building components; eduID.se as the IdPoLR, coManage as the repository and Satosa as the proxy. Later this year we’ll put this into a production pilot.

 

From this angle you can see IdPaaS as a IdPoLR Plus offering.

 

Pål Axelsson

 

 

Från: <> För Keith Hazelton
Skickat: den 23 september 2019 18:55
Till: ; Mary McKee <>
Ämne: Re: IdPaaS call today

 

I'd like to discuss another possible recommendation:

 

The need for a reliable and sustainable IdP of Last Resort (IdPoLR, or unaffiliated IdP) is still out there. An IdPaas service already meets several of the requirements for such a thing.

 

The only new requirements would be to offer a personal, self-service registration process.

The new challenge would be finding a business model for this service. I can imagine federation operators might be willing to provide the operational budget, making the service free for individual subscribers.

 

What about recommending an "IdPaaS Plus" offering that included a 'home for the bomeless'.

 

           --Keith Hazelton

---

From: <> on behalf of Mary McKee <>
Sent: Monday, September 9, 2019 6:59 AM
To: <>
Subject: IdPaaS call today

 

Hi all,

 

Looking forward to our call later today.  Today we'll plan to:

• Wrap up the survey summary at https://spaces.at.internet2.edu/display/IDPAAS/Survey+Results 
• Review deliverables for recommendations: https://spaces.at.internet2.edu/pages/viewpage.action?pageId=158662936
• Develop a game plan for how to arrive at the recommendations above.

Prior to the call, please review the two links above and note any places where you feel there's room for improvement on the survey summary.  Last time, we discussed correlating answers with Carnegie classifications;  it would be helpful to point out specific areas where doing this  would directly help with one or more of the recommendations.

See you soon!
Mary