SAML and Windows Login

Interesting post from James on the possibilities of Windows desktop systems being SAML identity providers (IdPs). Currently, a similar mechanism exists for desktop single sign-on from Windows (via SPNEGO, using Kerberos tokens, which, by the way, OpenSSO and Access Manager support directly, no IIS ‘bounce’ required), but this is limited to a single enterprise’s AD infrastructure and can be pretty tricky to deploy. It’s easy to imagine IE submitting SAML assertions to service providers at Internet scale in the way James describes. Microsoft seem to be reconsidering the case for supporting SAML 2.0, so they may even be receptive to something like this.

Where James does get things twisted (to use one of his favorite expressions :-) ) is in imagining that Sun and Oracle have much influence on our friends in Redmond. Microsoft’s paying customers have MUCH more clout than their competitors/partners. I’d suggest, James, that you band together with your peers at enterprises such as GM and Boeing, who I know, from their participation in Concordia, have very similar desires. Heck, you could even roll up your sleeves and dive right in to Concordia - it’s free, very enterprisey and Microsoft participate with open ears…