Wednesday Oct 01, 2008

links for 2008-10-01

Thursday Mar 20, 2008

links for 2008-03-20

Saturday Feb 09, 2008

links for 2008-02-10

Thursday Jan 10, 2008

links for 2008-01-11

Tuesday Jul 10, 2007

SSO from OpenSSO to ADFS via WS-Federation

Not too many blog entries lately, as I've been elbow-deep in code - Friday saw the first ever single sign-on from OpenSSO to Microsoft Active Directory Federation Services (ADFS) via WS-Federation (click on the screenshot for a closer look at the output of the ADFS test app). This is OpenSSO acting as an account partner (in ADFS terminology), or identity provider, to ADFS as a resource partner, or service provider. There is a lot of work still to do - single logout, account and attribute mapping, etc, but the core SSO protocol support is all there now.

Friday Dec 09, 2005

ADFS, WS-Federation and SAML in the enterprise

James McGovern left an interesting comment on my previous entry concerning WS-Federation and SAML 2.0.

James says

A customers perspective is slightly different than what you suggest in your posting. MS is doing the right things with WS-Federation. After all, if you consider that 99.9% of all Fortune enterprises and their B2B partners have AD installed, they would eliminate not only the need for SAML but for enterprises to buy yet another piece of software that really should be bundled with the OS in order to solve for problems across enterprises. Federated identity conversation is somewhat consumer focused. Would be great if participants could put on an enterprise lens when considering solutions....

Thanks for the comment, James. I think you're right, up to a point. Microsoft is doing the right things, from the perspective of MS themselves and 'MS shops'. If you have a pure MS infrastructure, then WS-Federation and ADFS are great news. If you have a mixed environment, and some or all of your business partners have a mixed environment, then this is good news, but it could have been so much better. After all, if MS had issues with the way SAML worked in their environment, they could have contributed to the SAML 2.0 process in OASIS and we would have had the 'grand convergence' of federation specs. But, for their own reasons, they chose not to engage there.

I spent Monday with one of our biggest enterprise customers. They have selected SAML 2.0 for web single sign-on across their various departments and divisions and with external partners. WS-Federation makes no sense for them as they have no MS SSO infrastructure - it's all Sun, IBM and Oracle (Oblix). In common with the 99.9% of Fortune enterprises you mention, they do have AD as a NOS directory, so ADFS support for WS-Federation rather than SAML just complicates their lives.

Leaving aside the question of whether federation technology should be bundled with the OS, the fact is that Microsoft are only now beginning to fill the gaps in federation. They have chosen to do so using proprietary specifications (remember, WS-Federation is a specification, not a standard) rather than an existing open standard with wide adoption. It will be an interesting couple of years as enterprises make their choices. But again, choosing products using a common standard would have been so much better than having to bet on a spec.

Saturday May 14, 2005

Sun/Microsoft Press Conference

Well - it's done. I've been involved in the web single sign-on interoperability work with Microsoft since the beginning of the year - four and a half months of painstaking specification work, designing a demo, going on vacation while the real engineers built the demo (BIG kudos to Emily for the protocol work and Lauren for the web pages on our side, Ryan on the MS side - the demo worked flawlessly and looked great!) then a final flurry of work on the demo script and rehearsals for the big day.
Watch the webcast - I'm presenting the demo with Don Schmidt of Microsoft. There's a press release (if that's your sort of thing) and a factsheet. The actual specs are online at Sun and Microsoft. I'm not going to repeat any of that here. I will say that it is somewhat nerve-wracking giving a live presentation just 6 feet from Steve Ballmer and Scott McNealy! AND - there is no truth in the rumour that I am Steve Ballmer's 'good twin'...
I've read blogs and comments that represent this as Sun moving from open to proprietary standards. This is emphatically not the case. The big news, as I see it, is that customers now have a way to implement SSO with the upcoming Active Directory Federation Services that would otherwise not exist. These specifications are published and will be submitted to a standards process, so other identity management vendors can implement them or not as they see fit.



« July 2016