UPDATE ......From Wednesday 16 July 2025 we have changed the way that Single Sign-on works on this wiki. Please see here for more information:
Update
Attending:
Zacharias Törnblom, Judith Bush, Gary Windham, Gabor Eszes, Mary McKee, chris phillips, David Huebner
Agenda & Notes
Agenda bash and ask for scribes
Mary McKee,
Follow up on a SAML Technical Committee (TC) to make a statement
https://lists.oasis-open.org/archives/security-services/202303/msg00000.html
Scott - next call is in May
Judith - Anything we can do to help? Scott - may ask for review of anything put together
Chris - the links in the REFEDS space might be a good resource to share since FedCM is a lot to get your head around
Scott - we need to push for a more prompt response that isn’t a deep dive technically. This isn’t about the specifics, rather getting message across that you can’t shut off the spigot in the span of a year without a lot of impact and there needs to be a more phased approach that allows more time for transition. Even if that is the goal, we need an off ramp - steer the message toward this.
Follow up on engaging with Sam Goto
Judith: Phil reached out to Sam, shared to expect to hear from Judith. Engagement Sam wants would best be met at IIW. Hopes Nicole and Chris can go.
Chris - needs to look at dates/budget for IIW.
Mark will be there from Cirrus, ~5 people from I2
Judith - discussion of a standard IIW topic at (Monday?) meetings. Maybe Microsoft or Google could host a location in proximity to IIW to facilitate meeting. Not sure if she can attend remotely; there may be an opportunity to. Unsure if this is under W3C terms, or if hackathon was. Will try to follow up with Heather on that in advance so that Scott will know if he could attend or not. It would be morning in California, afternoon for east coast. Also reached out to Sam on this but has not yet heard back.
Purpose of 3 hour meeting is to go deeper than realistic in one hour meetings.
Chris - it feels like we’re in training mode on awakening topics, unsure if 3 hour meeting will be similar in elaborating how big the problem is, would like Sam’s thoughts on desired outcomes.
Strategy for using the Proposal repository
Judith - now has vague access to proposal repo; made two branches (one for each proposal) with idea of advancing Chris’ suggestion to get proposals into markdown and ready for pull requests.
Chris - we can keep it light, put in markdown and allow people to call out specific line numbers etc. Are there other folks who would be interested in having Git access to the repos? Will circulate Nicole’s and Chris’ Git IDs. Maybe workshop in Git prior to IIW. Zacharias - prefers more focused, iterative approach to this work. Judith - maybe should talk with Heather re: strategy to make progress.
Gabor - do we have a space where we can track our work group’s approach? One thing that’s happening is because of what’s coming out of W3C work group, we’re having to retread similar topics repeatedly. Difficult to keep track of whether we’ve achieved the successful-enough common position of this group. Do we have space to track that progress?
Judith - we have a couple options. Nicole had a Git repo for this hackathon; could continue using that if Git is desired. REFEDS also has a Git repo we could use. We also have a wiki. Gabor - that works too, can keep it simple, can we have a table of these objectives.
Chris - I think challenge is that it’s a lot of overhead, if we try to revolve around a few key concepts. Recommends getting proposals into markdown within W3C space first - if there are a few concepts we’re in disagreement about, identify and and work through those items internally. The fewer places we can manage this, the better.
Gabor - you’re going to get comments from specific parts of proposal that we didn’t develop a unified position on in advance. We’re inviting criticism that we’re not prepared to handle.
Chris - we need to accept that, that’s going to happen and that’s the community process.
Scott - this is the standards process and we can get a sense for what is good faith feedback and deal with that
Gabor - can we agree with Chris that our most critical next step is to get markdown versions of proposals into W3C space?
Broad agreement; Scott - that’s our best chance of getting meaningful forward movement.
Judith - in the FedID group’s repo, is that open to the web to put in to raise issues to submit proposals or does someone have to be added by the group first? Can Gabor and Scott participate?
We’ll assume it’s open
Gabor - my interpretation is that I can’t participate; difficult to form substantive comments as desired
Judith - past participation has been via the google docs, moving forward; will be in markdown/Git
Can we continue this in Slack? <no objection>
TechEx Submission
Judith - requests feedback on proposed abstract
- Title - too provocative? Appropriate? Clear?
- Want to be provocative but could be more clear
- Character limit workshopping
- Abstract contents
Judith - how to frame, our community view vs. browsers seeing SSO traffic as tracking
Chris - full disclosure, is on TechEx planning committee. What is the dialogue here, are we taking questions? If this is a panel, we should consider a brief intro and then move into discussion format. Would put in a link to the REFEDs and we look forward to your questions to discuss. What is the desired outcome? Most yield of understanding/concerns/feedback/engagement. Without those outcomes, it’s just catastrophizing. Attendees should have a sense of what to do/how to engage moving forward.
Chris - let’s not bury the lede, things are uncertain and we need this engagement
Scott - the takeaway for most in session is not to design a solution (we don’t even have that freedom) but to socialize that we seem to be the only ones fighting this fight and it’s time to start asking vendors and suppliers what they are going to do about this. Should demand that suppliers share their plans for how to deal with things breaking.
Chris - <summarizes> Come to the conversation to know what to ask your vendors. What is going on/what do I ask for/what happens if I don’t get it/what are my alternatives if I don’t get it.
REFEDS blog post as working group
- edit link https://docs.google.com/document/d/18fnLXQD0qTom0T7dWVj3gEVy-CYmeDQca_HHrWn5yF0/edit?usp=sharing
Judith - a first way to raise awareness about what’s going on, has drafted post linked above for discussion.
Chris - the place and time we’re at today vs Tech Ex - huge time elapse there. Expects we’ll have very different ideas/thoughts by then, the blog post could be our current thinking on the same questions we want to address at Tech Ex; won’t be repetitive with TechEx because of how fast this is moving. So many open questions; will we have permit domains (as MSFT with B2C)? Can raise concerns (not accusations) to start raising awareness - you should be concerned, major foundational assumptions are changing.
Zacharias - is this a call to action to stay engaged or take action? <both> Are we asking people to test (as Google has requested)?
Judith - it’s a totally different protocol, so a question of does it work with SAML? Well it doesn’t interfere with SAML because SAML doesn’t use 3rd party cookies. It doesn’t have the request model between the RP and IDP that SAML has.
Gary - even in the FedCM developer docs, it says, if you aren’t using 3rd party cookies, there’s nothing to do. So asking IdP operators to make changes today is premature. If you start down that road, you run into the wall of this not working at all with SAML or OIDC.
Chris - there’s a rally to get people interested/engaged, and once you make it to this level of conversation, you can start unpacking the challenges and opacity. Artifacts on how to actually test this are currently poor, and that’s one callout. Without packet captures, its’ very hard to test currently. Again, it’s April, and Tech Ex is in September, so the needle will move in that time. If we ask people to test and they have no idea what to do, this exemplifies the problem we are currently dealing with.
Scott - I keep forgetting that so many people are waiting on the 3rd party cookie thing, thinking that it won’t go further than that and so there’s nothing to worry about.
Gabor - that’s all we have right now. They haven’t come out and said that, and it’s an issue in our communications because we don’t want to spread FUD, but we don’t have many alternatives because there’s no hard proposal to respond to. It’s hard for us to focus on this in a responsible and actionable way because the breakage currently is limited, and we can’t see how the proposal is envisioned to interact with existing identity protocols. Is struggling with how to be useful to this effort.
Judith - https://privacycg.github.io/nav-tracking-mitigations/ this is the seed of the discussion about tracking mitigations. Problem for us is that FedID CG is a spinoff of the privacy CG, which has gone after cookies and is now going after tracking. Has seen in mailing list concerns about bounce tracking and using AI to identify tracking.
Gabor - ideally, our WG should have an engagement that tries to find out these areas of assault that are being promulgated on today’s web and then develop specific mitigations to them. FedCM is just one part; there are other parts. So far mitigation conversation has been focused on FedCM but can’t stay focused on only FedCM.
Chris - building on that thinking, trying to tether these ideas in a context that is more familiar to the community. When we think about this, instead of just a SAML thing or a browser thing or a standards thing, frame as a supply chain item. Replace FedCM with a thought exercise about Docker containers and reliance on that technology. Managing dependencies in perpetuity is hard. Browsers have been, to date, great vehicles for seeing things on the internet - now this model is under challenge. Characterize these concerns as software supply chain/how pedagogy is delivered. It’s difficult and exhausting to track every single item within this theme. FedCM, as big as it is, is a tree in the forest of privacy concerns that are admirable, enviable, and aspirational - also problematic in many ways. Need to frame this so people controlling budgets see themselves as part of the collateral damage.
Judith - maybe the blog post could be a narrative of that conversation. How do we get involved? I’m out for several weeks, the draft content I created may not be the right content. Would you two (Gabor and Chris) be willing to rework as a threat landscape?
Gabor and Chris - yes
Judith - Gary, is your demo code available?
Gary - yes, we can include that: https://github.com/cirrusidentity/simplesamlphp-module-fedcm
Scott - it’s understandable that we can’t get people to react to speculation, may need to wait for a statement to react to
Chris - yes, maybe push for people to own what they are proposing
Gary - doing that also has the benefit of not creating a Chicken Little situation if these things don’t happen
Chris - even if it’s the product of our effort that it doesn’t happen
Gabor – play up our involvement out of concern, play down doom-n-gloom
Scott – message to business leaders should be different than the message to IT people
Judith – we’re not affected by cookies; other changes on horizon – community should be educated about issues on horizon, not current (cookie) issue
Gabor – our use cases are not under imminent threat – help people make sense of current state of play; some parts are underway, others are now. For blog post, describe work group’s current engagement rather than risk of breakage