ADFS, WS-Federation and SAML in the enterprise

James McGovern left an interesting comment on my previous entry concerning WS-Federation and SAML 2.0.

James says

A customers perspective is slightly different than what you suggest in your posting. MS is doing the right things with WS-Federation. After all, if you consider that 99.9% of all Fortune enterprises and their B2B partners have AD installed, they would eliminate not only the need for SAML but for enterprises to buy yet another piece of software that really should be bundled with the OS in order to solve for problems across enterprises. Federated identity conversation is somewhat consumer focused. Would be great if participants could put on an enterprise lens when considering solutions….

Thanks for the comment, James. I think you’re right, up to a point. Microsoft is doing the right things, from the perspective of MS themselves and ‘MS shops’. If you have a pure MS infrastructure, then WS-Federation and ADFS are great news. If you have a mixed environment, and some or all of your business partners have a mixed environment, then this is good news, but it could have been so much better. After all, if MS had issues with the way SAML worked in their environment, they could have contributed to the SAML 2.0 process in OASIS and we would have had the ‘grand convergence’ of federation specs. But, for their own reasons, they chose not to engage there.

I spent Monday with one of our biggest enterprise customers. They have selected SAML 2.0 for web single sign-on across their various departments and divisions and with external partners. WS-Federation makes no sense for them as they have no MS SSO infrastructure – it’s all Sun, IBM and Oracle (Oblix). In common with the 99.9% of Fortune enterprises you mention, they do have AD as a NOS directory, so ADFS support for WS-Federation rather than SAML just complicates their lives.

Leaving aside the question of whether federation technology should be bundled with the OS, the fact is that Microsoft are only now beginning to fill the gaps in federation. They have chosen to do so using proprietary specifications (remember, WS-Federation is a specification, not a standard) rather than an existing open standard with wide adoption. It will be an interesting couple of years as enterprises make their choices. But again, choosing products using a common standard would have been so much better than having to bet on a spec.

Update on WS-Federation, SAML 2.0

I posted my previous blog entry as feedback to Patrick Harding’s SAML 2.0 article in Network World. Patrick was kind enough to reply this morning, saying that Network World TechUpdate articles focus on a single technology which, in this case, was SAML 2.0 rather than the wider topic of Federated Web SSO. Never mind that writing about the convergence of federation technology into SAML 2.0 without mentioning WS-Fed is like not mentioning the elephant in the room.
Anyway, Patrick gave me his permission to post his excised paragraph:

What about WS-Federation? Anyone using Microsoft’s upcoming Active Directory Federation Service will be using WS-Federation, as it is the protocol supported by ADFS. WS-Federation will likely become the second important federation protocol going forward, even though the primary focus of the WS-* initiative is web services. While one could argue the industry would be better off with a single standard, having two is a whole lot better than having seven.

I can’t agree more – taking the pragmatic view, we now have a converged standard for federated web single sign-on supported by the entire industry save a single vendor. Perhaps Microsoft could one day join us at OASIS in bringing the benefits of WS-Federation to SAML 2.next?

SAML 2.0 simplifies federation

Patrick Harding of Ping Identity has written an article on SAML 2.0 for Network World. It’s a useful resource, describing both the SAML 2.0 specifications (at a high level) and the convergence of standards and specs that led to them. However, it’s a little strange that Patrick makes no mention of WS-Federation, especially since Ping support WS-Federation in a number of their products.
Why so coy, Patrick???