# WG Meeting: 2025-01-28 ## Agenda - Gartner IAM interoperability test announcement - SSF Conformance testing workshop ## Attendees - Thomas Darimont (presenteer, OIDF) - Atul Tulshibagwale (SGNL) - Mike Kiser (SailPoint) - Chiranjeewee Koirala(SGNL) - Yair Sarig (Omnissa) - James Slocum (Beyond Identity) - Steven Myers (Cisco) - Mark Haine (OIDF) - Eva Kuchrykova (Jamf) - Swathi Kollavajjala (Cisco) - Stanley Ye (Omnissa) - Mike Leszcz (OIDF) - Sam Weiss (Jamf) - Alexey Emelyanov (?) - Eva Kuchrykova (?) - Gail Hodges (OIDF) - Jordan Goodyear (?) - Mahanth Hiremath (Omnissa) - McCrackenG (?) - Rahul (Omnissa) - Saurav Kumar (Omnissa) - Vijeth R (Omnissa) - Vladimir Slesarev (?) - Victor Soon (IBM) ## Notes ### Gartner IAM call for participation in the interop - Send email to atul@sgnl.ai if you are interested in participating. - SSF Gartner Interop Event blog post: https://openid.net/shared-signal-wg-returns-to-gartner-iam-for-interoperability/ ### SSF Conformance testing workshop - Need Google or GitLab account in order to login to the conformance testing website. - Preview Environment: https://review-app-dev-branch-3.certification.openid.net/login.html - You can setup the conformance tests yourself or run it in the OpenID cloud environment - (Gail) where will you be asking for implementers to direct questions as they start to test and hit issues and questions along the way? Slack for the march gartner event? The ss wg slack? Or one specific to tests? And when can people start running their implementations through? After migration to the main hosting site in a couple days? - (Thomas) I will be getting to that in a few minutes - (Steven) I might have jumped ahead but I ran through the conformance tests to follow along :) I’m just stuck because I provided this discovery URI https://test.sharedsignals.duosecurity.com/.well-known/ssf-configuration/sharedsignals but the metadata test rewrites the discovery URI as https://test.sharedsignals.duosecurity.com/sharedsignals/.well-known/ssf-configuration and gets a 404 - (James) did you set the server metadata location to "static" instead of "discovery"? - (Steven) Ah thanks it was set to dynamic - (Yair) Does the audience need to be specified beforehand? - (Mike Kiser) Spec claims the audience is transmitter supplied - (Yair) Is the push endpoint supposed to be provided by the Transmitter? - (Thomas) My understanding is that the Receiver provides the push endpoint - (Yair) But if I'm testing the transmitter, then shouldn't I be able to specify what the push endpoint should be in the Transmitter response? - (Thomas) For push, the test suite has a functionality where it dynamically exposes the push endpoint from the alias that you have configured. - (Atul) Why does the transmitter need to specify the push endpoint? - (Thomas) The conformance test specifies the push endpoint, because it is acting as a Receiver - (Yair) How did you create the audience value? Was it added after the stream was created? - (Thomas) The transmitter metadata suffix is just the subscriber identifier independent of the stream that I create. - (Thomas) Setup Instructions for Running the conformance suite locally https://docs.google.com/document/d/1pvtWWJ2RD_l9an_3-g-Kaa2K9zu6H9XDXq7kGIdyla4/edit?tab=t.0 - (Brian) Do we need Java and Maven locally or inside the docker container? - (Thomas) It is most convenient inside the docker container. You could do it by installing it on the host, but it is more complicated (MongoDB, etc. will be required) - (Brian) Specifying the audience in advance is an issue for us adopting - (Chiranjeewee) Is there a way to authenticate the metadata endpoing as well? - (Thomas) Metadata endpoing is not authenticated at all. - (Chiranjeewee) Is there a way to do that though? - (Thomas) No, but what is the use case? - (Chiranjeewee) SGNL currently has the metadata endpoint behind the access token - (Thomas) Currently we don't support it, but we could allow you to specify a custom header with every request. You could always place a reverse proxy in between and insert the authentication header there without us having to change the conformance tests - (James) I'm able to do the testing on my end, thank you very much - (Yair) how can we send feedback? - (Thomas) Email, or OIDF slack or IDPro slack - (Thomas) Once it is up in the GitLab repo, you can raise issues - (Thomas) See feedback section - (Thomas) We also are looking for vendor environments which we can hit for our CI environments. Currently using caep.dev, but it needs to solve some issues we identified earlier. We need to get more stable environments to test against. - (Thomas) Since you are more familiar with the spec than I am, please provide feedback if the tests are doing something wrong - (Brian) I've provided access to one of our demo instances so that you can see the audience issue - (Chiranjeewee) I'm getting a DNS lookup failure for the server - (Thomas) Perhaps you can reach out later. You need to provide the hostname alias locally - (Chiranjeewee) I've done that - (Steven) We at Cisco have been able to run the tests. - (Brian) We only support explicitly added subjects, we have a lot of users, so we need to be able to only send events for subjects of interest - (Yair) We don't do that because we don't want to manage a large number of subject values - (Steven) So how are you doing it right now? - (Yair) Everything is tenant specific, and each stream gets to specify which types of events. - (Steven) So you are tying the tenants to the receivers - (Yair) We have hard separation between tenants, so its as good as other tenants don't exist - (Thomas) The tests can be run in a headless mode for running in your CI environment. The configuration can be fed as a JSON file, and then you can run it within your CI environment. I will provide an example setup for this. ## Action Items # Feedback If you have any feedback feel free to reach out via thomas.darimont@oidf.org or DM me on the OpenID slack. If you want to file issues for the conformance suite, please go to https://gitlab.com/openid/conformance-suite/-/issues