Wednesday, November 29, 2006

A marriage of convergence

Conor provides some feedback on the OpenID Authentication Quality Extension. I was involved along with David and Avery so will take the opportunity to respond (not to the specific issues he lists but the meta-issue)

Conor's fundamental objection is that the proposed extension does not take advantage of SAML's Authentication Context

Overall, as far as I can tell, there is nothing in this specification that is not easily handled using the SAML Authentication Context structure and so I don't understand why they didn't just adopt that model as-is (and the SAML model clearly handles much more than the limited cases supported currently by this proposal). At the minimum, this document should be a limited profile of what portions of the SAML model they want to use.
The proposal's acknowledgement of the similarity between AQE and SAML AC isn't enough.
This is all you hear from or about SAML in the entire specification. There are no other references to the SAML authentication context, nor any use of the structures or capabilities of the Authentication Context. I'm not sure why this is even mentioned here if they aren't going to make use of any of the SAML work in this area.
Personally (and I'm not speaking for David or Avery) I see OpenID leveraging SAML Authentication Context as a desirable end-state (as do I seeas desirable SAML possibly leveraging those pieces of OpenID for which there is no comparable existing functionality in SAML 2.0) and hope that AQE gets us closer to that end-state. Afterall, you can't converge if you don't have two parts to align.

There are tantalizing opportunities for convergence between OpenID and SAML floating around - AQE and AC is just one such.

I would not have liked to have seen Conor courting his wife. "Look, we both know where this is going so let's just cut to the chase".

2 comments:

Avery Glasser said...

You hit it - for there to be convergence, there need to be two sides, each bringing something to the table, and then negotiating out any areas where the concepts aren't aligned already.

Aligning (doing similar things in a complimentary manner) and possibly even fully converging (bringing OpenID and SAML together into one protocol) is a great goal. However, there are immediate demands from enterprises surrounding implementation of strong authentication. If we wait to converge the protocols, we'll miss some significant enterprise opportunity.

Now, do we quote SAML AC in the OpenID AQE spec? No. I mean, we mention it because it is the long term goal, but we're not writing a SAML spec here - we're writing an OpenID one... and we're not looking to confuse implementers.

The AQE is a first step at aligning OpenID and SAML in a manner that is lightweight and easy to implement so that existing and new OpenID OP/RP can immediately start taking benefit while we look at how we will further gain benefit across the protocols.

Pat said...


I would not have liked to have seen Conor courting his wife. "Look, we both know where this is going so let's just cut to the chase".

On the contrary, I think it would have been fascinating to be a fly-on-the-wall at such a scene :-)