Security/identity · 27 Mar 2008

SAML brings world peace?

I tried to comment this morning on Dave Kearns’s post on my “identity bus” musings, but it hasn’t shown up for some reason, so I’ll say a few words here. (Later: Damn, how come I can never manage to say just a few words? Must…channel…Paul…)

I appreciate Dave’s confirmation of the overall goal; good to know I’m not crazy. But “going all Microsoft”?? :-) If I were advocating a particular protocol, I don’t even think that would be a bad thing, but advocacy of that sort wasn’t actually my intent.

I did observe that SAML tokens have had success at meeting one big criterion for an identity-bus-qua-message-bus. SAML tokens are used in lots of places, often with protocols other than SAML’s own. And when it came to another criterion, I “indicted” the SAML assertion query protocol pretty even-handedly with WS-Trust if they’re each considered all by their lonesome. While mentioning services of the sort that add helpful interop smarts (including ID-WSF ones), I even pointed out InfoCard as an great example.

If you choose a common data model for your identity layer, as many have done, there’s a whole bunch of “transform[ing of] protocols and data from one system and schema to another” you can avoid. In this sense, SAML’s “hub format” and a WS-Trust “hub service” are opposite approaches: the more you use an agreed-on format, the less you need transformations for the mere sake of syntactic conformance to another system’s needs. I will cop to advocating SAML2 tokens on this basis!

You might still need token exchanges for lots of other reasons, obviously. A quick test of whether you’ve got a nontrivial one: Would it still be useful for parties that use the same token format all around? In this case, I just observed that writing down those semantics will help get us to a successful identity bus. Imagine the chaos if you asked “RST?” and got any old “RSTR” back.

So, back to music and world peace! Yes, I admit it, I would like to teach the world to sing. But I must also admit that my accompaniment of choice would be (acceptable) piano or (really bad) ukulele, since guitar-playing is not among my skills…