Security/identity · 2006-11-28

Let’s all mash up at Eeugh

Eeugh-Buh, that is: the second 2006 Internet Identity Workshop, more commonly known as IIWb. It’s being held next week in the Bay area. If you’re attending but haven’t added your name to the list, better do it soon! I’m arriving in town on Sunday night and am really looking forward to this one.

Johannes mentioned that there are a bunch of ideas swirling around on mashing up OpenID and SAML. Some of my recent posts have been poking at perceived impedance mismatches between the two technologies, in order to learn where they’re usefully complementary. I’m really excited about the possibilities here, and like Johannes, I’ve been pleased at people’s willingness to work together, whatever their mental starting points. So let me respond to the challenge he posed (“If you have an opinion on this, why don’t you blog about it?”), taking the positive side.

If we (somehow) mashed-up SAML and OpenID: Who would care, other than technologists? Why would they care? Actually, technologists who are in business to compete with each other would typically be just as happy to have competing protocols, though I think this stance is very short-sighted. My customers tend to resist deploying multiple technology stacks that do the same thing; mashing them (uh, the technologies, not the customers) up to unify common functions can potentially simplify deployment and give the benefits of the union of the use cases served by the technologies in question.

What problem does this solve that cannot be solved any other way? It’s always possible for a technology provider to offer coverage of multiple technologies, which can give interop in the context of their product (or open-source library or whatever). But that’s less universally interoperable than actual protocol-level bridges that everyone can implement equally. Also, the very notion of mashups involves play and experimentation, and we should be pushing this opportunity out to the individual level wherever possible. Providing a framework for doing this can be very “generative” (that is, we’ll learn more interesting use cases as we go, from every quarter). Plus, it’s just more fun this way. :-)

How valuable is a solution to that problem, compared to the cost of delivering the solution? I guess we won’t really know until we try. But every time I’ve been involved in what could be called “convergence” activities in the context of open standards development (and I’ve been doing it since 1991), it’s been gratifying and worth the effort — and it resulted in increased adoption. Hey, OpenID has already undergone a rapid mashup cycle with LID and Yadis, and SAML did the same (though admittedly not quite that rapid) with the Liberty Alliance federation framework and Internet2’s Shibboleth. If we discover that OpenID and SAML have any use cases, requirements, and solutions in common at all, isn’t it worth exploring them?