OpenId and SAML

Paul Madsen illustrates the relation between OpenId and SAML

Having looked at OpenId I got to wonder a little how this links in with other technologies such as SAML.

One nice thing is it looks like we can have one URL Identifier and use both services. Pat Patterson recently showed with a nice video how one can use the same id to work with OpenId and SAML. His solution is simply to add a meta tag in the head of the html like this

<meta http-equiv="X-XRDS-Location" content="http://patlinux.red.iplanet.com/superpat/yadis.xml">
This brings one to a YADIS file which lists the various types of identification services one wishes to use with one's id. [0] The YADIS file links to a SAML file with identification information, and the url of the authentication server. From there on it looks like the processes are quite similar to those of OpenID, except that the information passed to and fro is in more complex xml documents.

So we have two more indirections, than the simplest OpendId example, or only one more indirection from Sam Ruby's nice OpeniId howto[1]. So what does one gain? Well the SAML is understood to be enterprise ready and proven to work with very large installations, which are the use cases it attempted to solve. This of course comes at the cost of more complexity, which may or may not be covered by open source projects such as OpenSSO.

Some interesting links I came across doing this research:

[0] It also shows a horrible oasis urn, why does oasis always use urns instead of urls?
[1] Notice how this could have been cut down to no indirection with the use of rdf vocabularies. The YADIS and the SAML files could have been combined, and they could have in turn have been combined with the information at the openid resource...

Comments:

I was pointed to the following paper Comparison: OpenID and SAML - Draft 00, which goes into precise detail about the differences between the two protocols.

Posted by Henry Story on March 02, 2007 at 06:27 AM CET #

In order for authorization to be supported, the folks in the OpenID community would need to have the desire of moving past the basics of identity. Likewise, the features of an identity selector (e.g. Cardspace) will need to change. IMHO it seems no one really cares to talk deeper about authorization as it may require too much work on their parts...

Posted by James on March 05, 2007 at 04:29 AM CET #

Note that the above-mentioned OpenID-SAML comparison doc revision -00 is now superseded by this one:

http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html

see also..

http://identitymeme.org/archives/2007/12/17/draft-technical-comparison-openid-and-saml/

Posted by =JeffH on January 14, 2008 at 11:06 AM CET #

The latest revision of the OpenID - SAML comparison paper will permanently be available at this URL..

http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html

..rev -05 is now superseded by -06, a relatively minor editorial update.

Posted by =JeffH on February 10, 2008 at 11:03 AM CET #

Post a Comment:
Comments are closed for this entry.
About

bblfish

Search

Archives
« April 2014
MonTueWedThuFriSatSun
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    
       
Today