Evolutionary scientists find it useful to contemplate the set of all creatures past, present, and future as part of an infinite design space (referred to by the natural philospher Daniel Dennett as the "Library of Mendel" in his book Darwin's Dangerous Idea - this a tribute to Gregor Mendel and his pea pods).
The idea is that particular species occupy (or occupied) specific positions in this design space, characterized by their values along an infinite set of axes (e.g. leg length, number of digits, etc). Evolution is then seen as movement through this space, the set of ooordinates for a species changing (smoothly or more jerkily depending on your theory) as time goes by.
Within this vast space there are some points (or more accurately lines) that have been occupied more times than mere chance would suggest is appropriate. Some features of living creatures are 'forced moves', i.e. things so obvious that we aren't surprised to see them repeated across many different animals and so repeatedly hit upon in design space. Examples include bilateral body symmetry, two eyes for stereo vision, mouth at the front of the body, etc.
When we see such forced moves in different creatures, we don't have to assume any special relationship betwen those animals, it's enough to know that the animals deal or dealt with similar environments and constraints and have independently come across the unavoidable wisdom of the forced move. For instance, otters and dolphins both have body shapes that are suited for moving around underwater but we don't have to believe that one evolved from the other (or from some recent shared ancestor) because of this similarity. Streamlining just makes sense when you spend alot of time underwater.
Some features of SSO suites are forced moves, e.g. things so obvious that we aren't surprised when multiple suites take advantage of them. Examples include HTTP redirects, URL parameters, HTML Form POSTS, SOAP-messaging, claiming to be user-centric, etc. Taking advantage of that which the common infrastructure provides just makes sense.
If however, we saw very similar features in different SSO suites for which it could not be claimed that both protocols were forced to that choice, then we would be justified in assuming that there was some sort of relationship between them, most likely through descent (acknowledged or otherwise).
For instance, Liberty defined the Authentication Context mechanism in itsID-FF. There is very similar functionality in SAML 2.0. Consequently, it's not surprising that the functionality in SAML 2.0 is directly descendant from that in ID-FF 1.2 (through Liberty's contribution of ID-FF 1.2 as input to SAML 2.0). It would be surprising (even suspicious) to see two so similar mechanisms in different SSO suites without such a relationship because authentication context doesn't feel like a forced move.
Why does this matter? The more forced moves there are, the greater will be the similarities between the different SSO suites (e.g. SAML 1.1, ID-FF 1.2, SAML 2.0, WS-Federation, SxiP, LID, etc) and the less fundamental the differences. The more trivial the differences, the greater the chances of interoperability between them.
1 comment:
Great observation. Often more unites us than we think.
However, there is one big difference that may remain: REST vs. SOAP/WS-*. For example, in LID, which is faily unique by being very REST-ful, everything that matters has a URL, and lots of things follow from that. Different things -- often more complex -- will follow from more complex WS-*.
Post a Comment