The Sun BabelFish Blog
Don't panic !
OpenId and SAML
Having looked at OpenId I got to wonder a little how this links in with other technologies such as SAML.
One nice thing is it looks like we can have one URL Identifier and use both services. Pat Patterson recently showed with a nice video how one can use the same id to work with OpenId and SAML. His solution is simply to add a meta tag in the head of the html like this
<meta http-equiv="X-XRDS-Location" content="http://patlinux.red.iplanet.com/superpat/yadis.xml">This brings one to a YADIS file which lists the various types of identification services one wishes to use with one's id. [0] The YADIS file links to a SAML file with identification information, and the url of the authentication server. From there on it looks like the processes are quite similar to those of OpenID, except that the information passed to and fro is in more complex xml documents.
So we have two more indirections, than the simplest OpendId example, or only one more indirection from Sam Ruby's nice OpeniId howto[1]. So what does one gain? Well the SAML is understood to be enterprise ready and proven to work with very large installations, which are the use cases it attempted to solve. This of course comes at the cost of more complexity, which may or may not be covered by open source projects such as OpenSSO.
Some interesting links I came across doing this research:
- A very introductory overview of the identity problem from an enterprise perspective by David Goldsmith (Open Road Blog): video and accompanying pdf.
- Sam Ruby explains how to set oneself up with OpenId.
- Sun's OpenSSO (Open Single Sign On) Server, hosted on java.net, where future versions of the Access Manager are being developed.
- A collection of tutorials on identity management.
- Netbeans identity
- xmldap a way to combine Microsoft's CardSpace with OpenId
- Speed Geeking which is like speed dating.
- SAML 2.0 Aligning Web 2.0 with Identity 2.0
- Lightbulb: Bringing SAML to PHP
[0] It also shows a horrible oasis urn, why does oasis always use urns instead of urls?
[1] Notice how this could have been cut down to no indirection with the use of rdf vocabularies. The YADIS and the SAML files could have been combined, and they could have in turn have been combined with the information at the openid resource...
Posted at 05:04PM Mar 01, 2007 [permalink/trackback] by Henry Story in General | Comments[4]
Note on comments:
- I know the forms below are a little small. We have asked for years for this to be changed, but I don't think it's going to happen soon. In Apple's Safari you can resize the entry box with you mouse. For people using other browsers click on this javascript link, that should allow you to resize your form.
- Comments are moderated, so they will take a little time to appear. Currently moderation means I have to read them personally. Hopefully with OpenId deployment, this will become more automated.
- HTML markup no longer works here, due to some decision made somewhere. Sorry about that.
- If you are having trouble posting, it may be that you need javascript to be enabled. I don't think javascript should be needed for submitting a form, but that's the way it is here.
- Check your comments by using the preview button...
Posted by Henry Story on March 02, 2007 at 02:27 PM CET #
Posted by James on March 05, 2007 at 12:29 PM CET #
Note that the above-mentioned OpenID-SAML comparison doc revision -00 is now superseded by this one:
http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html
see also..
http://identitymeme.org/archives/2007/12/17/draft-technical-comparison-openid-and-saml/
Posted by =JeffH on January 14, 2008 at 07:06 PM CET #
The latest revision of the OpenID - SAML comparison paper will permanently be available at this URL..
http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html
..rev -05 is now superseded by -06, a relatively minor editorial update.
Posted by =JeffH on February 10, 2008 at 07:03 PM CET #