Friday, February 22, 2008

Impedance Mismatch

SAML & ID-WSF are joined at the hip, likewise seemingly OpenID & OAuth.

A swap is in order.

Consider the IDP Selection model of the 4 - this the bit by which a user and a consumer of identity come to agree on where to get the identity.

There are essentially 2 choices, let's call them "User Drives" and "Consumer Drives", distinguishing between who is in 'charge'.

User Drives (UD)

1) User visits some identity consumer
2) User specifies identity provider
3) Consumer works with the specified identity provider to get some identity

Consumer Drives (CD)

1) User visits some identity consumer
2) Based on its relationships, consumer offers user a list of candidate identity providers
3) User chooses from within list
4) Consumer works with the chosen identity provider to get some identity

UD pushes consumers towards promiscuity in picking their provider partners, CD reflects the existence of business and trust relationships that constrain consumers and providers.

I'll argue that the 4 identity systems above are either restricted to (or optimized for) either UD or CD as follows:
  • SAML - CD (because SAML defines nothing comparable to OpenID's association mechanism for dynamic trust )
  • ID-WSF - UD (because the Discovery Service enables dynamic trust brokering by which a consumer of identity can be matched up with an, a priori unknown, provider)
  • OpenID - UD (well duh)
  • OAuth - CD (because it presumes a relatively static trust model with a priori key and secret exchange)
So how do you reconcile the apparent mismatches, e.g. a UD-ish OpenID with a CD-ish OAuth? Or CD-ish SAML with UD-ish ID-WSF?

Perhaps we should consider swapping spec partners? Get everybody together, have a few drinks, and see what happens. No pressure.

I know I've seen ID-WSF, when cutting the lawn, sneaking peeks at OpenID sunbathing, so there is definitely interest there.

No comments: