Sun and OpenID
I was once told
“(When you are trying to find the right direction), a leader is someone who can cut through the jungle, climb up the tallest tree and yell wrong jungle”. 
This is definitely a great leadership initiative from Sun. The resting state of OpenID is still undetermined. OpenID has established itself well in ‘no-value transactions/blog commenting’. In its current state, it’s still debatable if OpenID has a place in the Enterprise B2B use cases and/or financial transactions. And if it’s worth building additional security features in OpenID….or should we just stick to SAML for that.
Sun’s move will help us get to the conclusion faster. So….congratulations to everyone involved.
However, I noticed this interesting comment on Dick’s blog “While it is great to have another major vendor join the OpenID community, I have not seen them very active around OpenID besides telling the OpenID community that SAML does everything that OpenID does”.
Given that, I’m curious to know of the reasoning for going the OpenID route. Given the long history and expertise at Sun, SAML should have been the obvious choice for handling this use case (verification by the partner that the subject is a Sun employee). Not sure if it’s allowed under the un-conference rules to volunteer someone for a session. But next week at IIW, it will be interesting to hear from Eve , Pat, Hubert or anyone else and understand Sun’s logic behind the decision.
Is it because:
- Bill Gates said so (as suggested by Dick).
- SAML is overkill for 90% of the SSO use cases.
- Sun was looking for some lightweight, easy to implement solution and OpenID fits the bill.
- Marketing forced us to do this.
- Implementing it ourselves is the best way to learn.
- It’s windy outside. Looks like it’s going to rain (read…no reason whatsoever).
Another thing….’Employer issued digital identity that’s linked to the corporate directory’ is the perfect poster use case for Information cards. How did OpenID trump that?
Either way, it’s great to see Sun adopting OpenID. They have the experience as well as the expertise and this move will hopefully lead to better, mature and secure specs.
CardSpace, Identity, Infocard, OpenID | Ashish Jain | 
May 9, 2007 12:18 pm
Subscribe
Kaliya Hamlin: Prepare your Un-tallentMark Wahl: Cross-organizational identity service schema discovery: SAML2 and WS-Federation (20070509)Dmitry Shechtman: Good Things Are Happening to MyBlogLog (and Yahoo)Ashish Jain: Sun and OpenIDKaliya Hamlin: In Wired about CFPclaimID: Sun’s Take on OpenIDclaimID: The Future of People SearchBrad Fitzpatrick: DJabberd 0.83Brad Fitzpatrick: OpenMoko — got itJohannes Ernst: Apparently this Blog has Fan Club in Germany
It would be really useful if there was a screencast showing how SAML can be used by an end-user to sign in to something. As it is, I have no idea how the technology is meant to work.
Simon,
The “overview” document for SAML is 61 pages (it’s probably longer than all of OpenID and it’s extensions combined). So…I agree with your comment.
Only if I had your skills of creating a ’screencast’
.
Anyway, here is one from Kim that might provides some value.
http://www.identityblog.com/?p=527
I followed the demo at http://lightbulb.saml2.com/lb/home.php using an account from ssocircle.com – it appeared to work just like OpenID but with an explicit relationship between the IdP and the relying party.
I use http://www.ambrosiasw.com/utilities/snapzprox/ for screencasts, but there are lots of other packages. Jon Udell has some great tips on putting them together here: http://www.oreillynet.com/pub/a/network/2005/02/07/primetime.html
I hope we clarified our position this morning a little. Regarding OpenID and SAML: I think that OpenID is a great protocol for a variety of use-cases, but falls short for attribute exchange and privacy (to name a few). This is where SAML/Liberty, e.g. through YADIS or some other mechanism for getting the disco URL, can help. At the end of the day both sides benefit: OpenID gets additional services that it is currently lacking and SAML/Liberty get a mechanism to solve the discovery problem.