Burton Group Identity Blog

The March 20 announcement proposing a charter for a new OASIS Technical Committee for WS-Federation is rekindling a fire that has been smoldering for some time. Many a debate occurred at Catalyst and in other forums as to the merits of the WS-* long-term vision for web services security vs. SAML’s immediate focus on browser-based federation scenarios.  A common theme to these debates was a call for convergence of SAML, Liberty Alliance, and WS-Federation efforts. Meanwhile, vendors staked out positions regarding SAML, WS-Federation, and Liberty Alliance. Microsoft has held its ground in withholding support for the SAML protocol. IBM straddled the fence after initial reluctance to support Liberty ID-FF, ultimately supporting standards and specifications as demanded by customers. Most other vendors in the federation space hedged their bets by grudgingly supporting multiple protocols and specifications.

As Yogi Berra would say, “It’s déjà vu all over again.”

Nearly two years ago, Burton Group published a report titled “SAML 2.0: Convergence Point for Browser-Based Federation.” It contained the following statements, “Security Assertion Markup Language (SAML) 2.0 represents a watershed moment for federation standards because it combines the efforts and features of SAML 1.x, Liberty Alliance Identity Federation Framework (IDFF), and Shibboleth” and “OASIS may also attempt to foster more convergence for browser-based federation by working with the supporters of WS-Federation passive profile (WF-PP).” Obviously, this is not the case. Several have commented on the TC proposal, including Nokia, France Telecom, NTT, Sun, Oracle, and Neustar. In addition, Tim Bray posted a rip on his blog. 

The WSFED charter gives lip service to working on convergence with SAML 2.0. Like other commenters, we find this less than convincing; the WSFED charter's invitation to other standards committees looks like a passive-aggressive maneuver. It puts the onus on SAML 2.0, which has already been standardized, to come to WSFED on their terms and make changes to an established standard to accommodate features of a specification which was not developed in an open forum and is not yet a standard.

In 2004, we wrote “The industry is showing signs of concern over standards convergence, but having two standards for federation and SSO is better than having 20, or zero. It is likely the market will need more than a one-size-fits-all standard and one can hardly imagine any single standard fitting every scenario, regardless of its composability. “ Well, it looks like convergence is going to resurface as an issue, particularly when there is so much overlap between SAML 2.0 and the proposed WS-Federation work.

If Microsoft, et al, were to merge the WS-Federation passive profile with SAML 1.x and then focus this TC on the active profile – that would clear up a lot of confusion and limit redundancy.

What happens next?
•    OASIS has scheduled a call to review the proposed charter on April 5th. OASIS members are permitted on the call.
•    Post your comments here or elsewhere to have your opinions heard
•    Shameless Catalyst plug: attend the conference this year where much of day 1 is dedicated to the identity interoperability discussion

[posted by Gerry Gebel, after much discussion on an internal email thread]