Shibboleth Developers

["Scott Cantor" <>]

> I don't understand WS-Fed well enough to understand the significance
> of this.  Could somebody elaborate?  Is Microsoft shying away from
> SAML 2.0 core or SAML 2.0 profiles?

Both at the moment, but they'll probably eventually provide SAML 2.0
assertion support, which I've asked Don about several times. Heck, if ADFS
had originally been planned for Dec 2005, you'd think they'd have supported
both anyway. They will probably never support SAML protocol unless WS-Trust
fails in the marketplace.

The article itself is nonsense, of course, and I suspect Don said things
along those lines, but not exactly. Claiming SAML doesn't have "reliable
messaging or transaction" support is like claiming cars don't float. When
you need to take one across the water, you put it on a ferry.

There's only one meaningful difference between WS-Trust and SAML, and that's
N x N token translation vs. N x 1. I understand the strong arguments in
favor of N x N, I just think in practice people will find that to be a lot
more work and harder to get right.

Neither one is currently usable by itself to secure anything but browser SSO
with any degree of interoperability, so that's a complete non-sequitur. Also
worth noting that the Infocard stuff is not based on WS-Federation, it's
WS-Trust (circa whenever they froze their draft internally) combined with
some "HTTP cookie as security token" notions.

-- Scott