OpenId and SAML
By bblfish on Mar 01, 2007
One nice thing is it looks like we can have one URL Identifier and use both services. Pat Patterson recently showed with a nice video how one can use the same id to work with OpenId and SAML. His solution is simply to add a meta tag in the head of the html like this
<meta http-equiv="X-XRDS-Location" content="http://patlinux.red.iplanet.com/superpat/yadis.xml">This brings one to a YADIS file which lists the various types of identification services one wishes to use with one's id.  The YADIS file links to a SAML file with identification information, and the url of the authentication server. From there on it looks like the processes are quite similar to those of OpenID, except that the information passed to and fro is in more complex xml documents.
So we have two more indirections, than the simplest OpendId example, or only one more indirection from Sam Ruby's nice OpeniId howto. So what does one gain? Well the SAML is understood to be enterprise ready and proven to work with very large installations, which are the use cases it attempted to solve. This of course comes at the cost of more complexity, which may or may not be covered by open source projects such as OpenSSO.
Some interesting links I came across doing this research:
- A very introductory overview of the identity problem from an enterprise perspective by David Goldsmith (Open Road Blog): video and accompanying pdf.
- Sam Ruby explains how to set oneself up with OpenId.
- Sun's OpenSSO (Open Single Sign On) Server, hosted on java.net, where future versions of the Access Manager are being developed.
- A collection of tutorials on identity management.
- Netbeans identity
- xmldap a way to combine Microsoft's CardSpace with OpenId
- Speed Geeking which is like speed dating.
- SAML 2.0 Aligning Web 2.0 with Identity 2.0
- Lightbulb: Bringing SAML to PHP
 It also shows a horrible oasis urn, why does oasis always use urns instead of urls?
 Notice how this could have been cut down to no indirection with the use of rdf vocabularies. The YADIS and the SAML files could have been combined, and they could have in turn have been combined with the information at the openid resource...