Security/identity · 2006-04-28

More about the Danish government SAML situation

Dr. John Gøtze, a Danish e-government consultant and OASIS IT contractor, provides more background on the Danish government’s decision around requiring SAML V2.0 support. His colleague in the Danish Ministry of Technology, Science and Innovation sent an open letter to Microsoft a couple of months ago. A snippet:

  • You are cited saying: SAML 2.0 protocols are fine for strictly Web single sign-on. In your view is exchange of attributes, and assertions about access rights a part of Web single sign-on? Or do you assert that SAML 2.0 isn’t well suited for these tasks?
  • You are cited saying: SAML 2.0 does not have reliable messaging or transaction support. As far as we can tell neither have WS-Federation, and obviously such functionality should be covered in standards that focus on reliable messaging and transaction, so is your position that SAML 2.0 will not work well with the standards for reliable messaging and transactions that OASIS is working to finalize?
  • What other motivations does Microsoft have for not supporting SAML 2.0 in the currently released product?

Pretty direct questions… Dr. Gøtze plans to follow up to find out if there was a response that can be shared. The letter was directed to Don Schmidt, a Microsoft guy I like and respect (and blogged a picture of…). It will be interesting to find out more about how this played out.