Web Services Contraptions - SAML's maturity

Wednesday, October 24, 2007

Tim Bass responds to my objections to his earlier article on the immaturity of modern identity protocols. He makes the valid point that the maturity of a technology should not be measured by the time it has been available, but by the level of adoption and actual deployment numbers:

"On other other hand, I am measuring “maturity” by actual usage, and the proof of security solutions is in the actual adoption, not simply years of standards activity and vendor marketing." (Tim Bass)

I fully agree with Tim that this is a very important factor in evaluating the maturity of a given technology, probably more important than the technologies availability. In fact, my earlier post was not very clear on this. On the other hand, I do believe that an extended peer review with subsequent revisions does contribute to the maturing of a given technology.

It turns out that SAML and its related technologies (Shibboleth and Liberty) excel in both these requirements for maturity:

As I pointed out earlier, SAML (the concepts as well as the technology) has been peer reviewed since 2001 by a number of very different organizations such as OASIS, Liberty Alliance, and Internet 2. This extensive review process resulted in two subsequent versions, that incorporated security fixes and enhancements, as well as new features. It has very broad community and industry support from open source projects, universities, and companies like Microsoft, Oracle, Novell, HP, Sun and many, many others. For more information take a look e.g. at Eve's blog or Scott's presentation.
SAML has been deployed on a very broad scale. There are a number of not-so-visible financial and telco deployment that are huge, but also the highly visible higher education deployments (see here). In fact, there are few (if any) other web centric identity related technologies that can boast an adoption comparable to SAML.

So, at the end of the day, I still maintain that Tim's assessment of SAML as an immature technology is - at least - incomplete.

tag: saml, identity, protocols, cybersecurity, standards

Identity

Wednesday, October 24, 2007 8:57:43 AM (Eastern Standard Time, UTC-05:00)

Comments [0] |

Comments are closed.

Messages

Calendar

March 2010

Sun

Mon

Tue

Wed

Thu

Fri

Sat

Email Subscription

Blogroll

Constantin Gonzalez' Weblog

Adventures of an Eternal Optimist

Anyway

Conor's Web Log of Esoterica

del.icio.us/beuchelt

Don Box's Spoutlet

Enterprise Architecture: Thought Leadership

Harold Carr's Blog

Identity for All - On bits and bytes

James Gosling: on the Java Road

Jamie Lewis - CEO and Research Chair

Johannes Ernst's Blog

Kim Cameron's Identity Weblog

Kirill's notes

Links

Marc Hadley's Blog

meta-douglasp

Mike Jones: self-issued

Nicholas Allen's Indigo Blog

ongoing

Phil Windley's Technometria

Pushing String

Robin Wilton's esoterica

TechEd Iron Architect Contest

The Aquarium

Web Services Contraptions

xmldap

Links

Technorati Profile

On this page

Disclaimer

The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.

In addition, my opinions can change. This weblog provides a momentary snapshot of such opinions. Existing posts that were written in the past do not necessarily reflect my current thoughts and opinions.

For the purposes of attribution, the author is "Gerald Beuchelt" and attribution shall provide a (clickable, where possible) URL to this site.

E-mail