SAML parfait

There are lots of ways to convey the concepts and features of SAML. After writing about it and giving presentations on it for a long time, and having cogitating on JeffH’s very useful How to Study and Learn SAML, I thought I might try a new way of illustrating SAML’s features and modularity that can serve as a fairly complete quick reference. Everybody likes parfait, right? Let’s see how well it works as an educational tool.

This “default” diagram shows the SAML framework that you get out of the box and — I hope — the potential for profiles to use whatever lower-level bits make sense. (Click to enlarge the diagrams.)

SAML framework parfait

You could annotate the default diagram for various purposes, such as discussing a proposed profile or extension. This “profiled” diagram shows how the web browser single sign-on profile points specifically to various protocols, assertion statements, and bindings to turn a particular set of use cases into something interoperable.

SAML framework parfait with web SSO highlighted

(I want to add subject confirmation methods somewhere, but can’t figure out a good way to do it. Maybe they’re just too much detail for this.)

I’d love to get feedback from the newbie, in-the-know, teacher, and comparative perspectives. So, any comments? Suggestions? Anecdotes?

Northern mooses

I only felt the tiniest bit like an interloper at the Northern Voice/Moose Camp event in Vancouver last week, being based a whole 200km to the south. I always wonder what the customs agents at the border think of my little jaunts up there for interesting technical events. I explained that I was going to a bloggers’ conference, which I thought for sure would provoke a lot of questioning, but nothing. (I’ve had to explain XML in “agentese” at least a dozen times in recent years.) Maybe the agent had actually heard of blogs before. The times, they are a-changing.

Lauren and Tim, once again, were kind enough to let me stay with them. I was unable to stay for the more “citizen-oriented” Northern Voice day as originally planned, but had a blast at the more-technical Moose Camp day, as well as the previous evening’s dinner, at which Boris Mann and the other organizers knocked themselves out putting together and cooking a spectacular menu.

The dinner speaker was Lee LeFever of The World Is Not Flat. He and his wife Sachi blogged a travel diary of their year-long trek around the world, and he shared some of his favorite photos and stories (while Sachi video’d his whole presentation!). It was an utterly charming and inspiring talk. I loved his story about trying to ship a heavy marble cheese slicer while in Italy, as well as the story about his Mongolian friend with the Bluetooth-enabled phone who wanted to see photos of verdant places.

Lee LeFever silhouetted against the Nababarm! guy

I had run into Michael Stewart at last year’s Open Source CMS Summit and started having flashbacks – he’s an old SoftQuad guy! He and I were in the SGML crowd in the 90′s (along with Lauren and Tim, of course…). He’s very smart and very funny, and to hang out with him in modern times is just a delight.

Lauren and Michael

Michael, Boris, Johnny Bufu and Wes Triemstra of SXIP, and I bandied about some ideas ahead of time for a Moose Camp Identity and Privacy session, and so ultimately we put together a panel-like thingie. Lauren tells me I should have pitched my discussion at a higher level, since “IdP” and “RP” and “authentication” and “authorization” can cause a MEGO problem; I added some notes to the session page, which I hope will be helpful after the fact.

I got to spend some quality time chatting with Johnny and Michael about a “signed assertion” spec proposal [UPDATED to fix link] from SXIP that leverages SAML assertions pretty deeply, and I think I’m starting to understand it.

All in all, a very enjoyable and productive 24-hour period!

Mon service public

I couldn’t resist adding another flag to the lineup discussed below, particularly after Paul found a video with cute French Muppets in it (along with that damn song):

Mon Service Public is an initiative of the Direction Générale pour la Modernisation de l’Etat, or DGME [UPDATED: its old name was Agence pour le Développement de l'Administration Electronique, or ADAE], in France. (They’re basically the e-gov folks there — oops, make that e-gouv…) They have a great document (in English) that explains their goals, and Liberty has also published case study slides. ADAE dictates the national standards for electronic administration, for which they’ve selected SAML2 and ID-WSF. By now a familiar refrain!

It’s a saml world, after all

Nope, that’s not a typo. I kept thinking about that silly tune when I saw the panel assembled for an RSA conference session called “SAML 2.0 — Standard-of-Choice in the Public Sector”, hosted by Brett McDowell. The speakers represented identity management initiatives in the US, Denmark, Finland, and the UK. The slides were simply covered with little flags. [UPDATE: The slides have now been posted, proving my point. :-) ]

I’d already been thinking about something Andre Durand remarked on recently:

When a critical mass of companies mandate standards for cross-domain SSO, we will have hit the tipping point for federated SSO. Having seen a few companies already cross that line, there is a formula. What we need to do now is hone it down and then hit the repeat button.

I had meant to comment at the time, since I know of a number of such mandates myself, but conference preparations (and getting sick) swamped me. Now I’m glad I waited, because the people on this panel had some of their own to share, and made a lot of excellent points that, I think, support Andre’s contention. And what they’re mandating is SAML2.

I thought it would be interesting to share what I heard. I’ve got ridiculously complete notes from the session in the extended entry (and don’t forget to check out the Liberty Alliance site’s adoption section, particularly the e-government page if you’re particularly interested in public-sector deployments), but here’s a taste of what the panelists were saying:

Søren Peter Nielsen, representing the Denmark National IT and Telecom Agency [UPDATED to fix name of agency] (info on their selection of SAML is here and I blogged on it here and here)

Based on these requirements, picking SAML 2.0 really was a slam-dunk decision.

Tero Pernu, representing the Finnish Board of Taxes (case study here):

The Finnish case study is a bit more broader than the Danish one. This one includes also the [Liberty Identity] Web Service Framework.

Conn Crawford, Strategic Projects Officer of the Sunderland (UK) City Council:

We need some sort of stability around our open standards.

Georgia Marsh, Deputy Program Executive of the US General Services Administration E-Authentication Initiative:

We don’t just go and adopt anything that’s cool…. Many of our customers have told us, in many ways, that they’re ready for SAML 2.0.

[...]

Viewing identity in landscape mode

I must be used to Seattle weather by now; my visit to San Francisco last week for the RSA Conference provoked a bit of annoyance at the pelting “hard rain” we saw all week, vs. the (wafting?) “soft rain” I’m now used to. Goodness knows how I’d get through a Boston winter at this point. But once I was safely indoors, rain dripping from my conference-giveaway hooded windbreaker, the conference provided a great experience.

I spoke with Brett McDowell in the Industry Experts track on the last day, on the subject of Federated Identity: Evolving Past Industry Strife. (I’m trying to keep my publications page updated; you should always be able to find links to my talks there.) In this talk we introduced the Liberty Alliance, reviewed its major technical spec deliverables and deployment patterns to date, and discussed some of the complementary, overlapping, and distinguishing features and “convergence touchpoints” of many of the technologies in the landscape — SAML, Liberty Web Services, CardSpace, and OpenID, and even WS-*.

We also described a new program called Concordia (after the Roman goddess of agreement, understanding, and marital harmony!), in which Liberty is offering to serve as a collection point for real-world use cases around heterogeneous deployments of identity technologies and do interoperability testing around them, in the manner that it already does testing certification for SAML2 and ID-WSF. It’s quite likely that this exercise will uncover even more convergence touchpoints and, I hope, multi-party commitments to better protocol alignment and unification into the works. Stay tuned for more info about the program as a whole.

Relatedly, Liberty’s new openLiberty.org site has some broad surveys of the space in wiki form, to which anyone can contribute: the Related Projects page and the Identity Landscape page. I plan to keep an eye on these.

I may have caught up on email, and recovered from the cold I had last week, but I’ve still got a bunch of thoughts saved up and I’ll try to share them here in the next few days. Will that qualify as a steady drip, drip, drip? (Five points for identifying the original reference for that…)