IdentityMeme.org

I just ran across this group at Last.fm..

Stats

..it’s denizens post articles about and pointers to cool little gizmos/widgets/whathaveyous that one can use to leverage Last.fm data.

I ran across it via this person’s profile..

Anthony Liekens

..he has a personal website where he offers..

Data mining musical profiles
Anthony Liekens, March, 28-April, 2 2007

..that article, and a web interface to his various tools.
.

=JeffH sez check it out

I’m blogging about my personal computing environment over on my “personal” blog, and just posted a note about my recent migration from MS Windows XP to (K)ubuntu GNU/Linux. Here’s a pointer to it..

I Done Left Los Windows…
http://kingsmountain.com/blog/archives/2008/01/30/i-done-left-los-windows/

=JeffH

Eve (aka xmlgrrl) posted the following bit of musing today..

Circles of trust: disaster? or really bad idea?
http://www.xmlgrrl.com/blog/archives/2008/01/21/circles-of-trust-disaster-or-really-bad-idea/

..which I tend to think hits the proverbial nail pretty squarely on the head wrt “open internet”, “trust all comers”, and “trust circles”.

One very small, detail-level comment I have on her post is that where she writes..

(where users are okay with this sort of back-channel communication)

..I would instead make it explicitly clear that “users” sometimes don’t have any direct say with respect to the machinations of the IT department on their behalf. Hence I would write it as..

(where users are okay with this sort of back-channel communication, or where they don’t have any say (e.g. in an enterprise deployment))

Note I don’t feel that the latter is necessarily a good thing, but it’s reality in corporate, governmental, and education worlds (at least), and no amount of attesting that “I want to own my identity data!” is going to change it any time soon (admittedly unfortunately). Besides one’s identity, outside of one’s own thoughts, “..is a story“, as Bob Blakley noted a while back, but has been understood for quite a while by social scientists and philosophers (see, for example, Erving Goffman).

But I digress…

I’ve done a modest editorial and copy editing update to the OpenID SAML technical comparison document announced earlier. Going forward, the latest rev will be available via this URL:

http://identitymeme.org/doc/draft-hodges-saml-openid-compare.html

It looks like this new SAML wiki..

SAML.XML.org

..opened for business on or about the middle of October 2007. Looks like it’ll be a good resource for the wide SAML community.

There’s also another wiki that’s apparently for the members of the OASIS Security Services Technical Committee (SSTC - the group creating and shepherding the SAML specs)..

SSTC Wiki

..so it looks like we’ll have to be careful to figure out what sort of content goes where.

This page..

SAML Open Source Implemenations

..lists eight (at this time) open source SAML implementations of one flavor or another. If you have one and it isn’t listed there as yet, create an account and edit the wiki page appropriately

Over the past couple of years quite a few folks have asked me, and I’m sure others, “what’s the salient differences between OpenID and SAML?” So earlier this year I began hacking together a technical comparison of the two. It’s an interesting exercise comparing two Web SSO protocols, even one as ostensibly simple, and straightforwardly specified, as OpenID. It turns out to be a fairly complex task given all the different facets inherent in authentication protocols in general, and in web-, i.e. HTTP-based, protocols (and profiles thereof) in particular. And also given the various audiences affected by such protocols: implementors, deployers, end users, and protocol designers.

The resultant comparison paper, “Technical Comparison: OpenID and SAML - Draft 05″ seems to me to be at a stage where it can be shared widely (i.e. on the web ), here it is..

http://identitymeme.org/doc/draft-hodges-saml-openid-compare-05.html

..For many readers, sections 1, 2, and perhaps 3 ought to cover things. For those necessarily interested in gory, really geeky details, parts or all of section 4 will be of interest. Note that this is still a “draft“–there are various items, especially in section 4, that are not as yet evaluated as thoroughly as I’d like, or at all (as yet).

I’ve tried as much as possible to provide an objective comparison. It’s admittedly difficult given I’ve been intimately involved in SAML’s gestation since essentially the very beginning. It’s also a technically difficult comparison because of the differing design centers of OpenID and SAML, as well as differing specification styles, and thus the difficulty in presenting the comparison to the reader, not to mention attempting to be “balanced“.

So, I hope this paper will prove at least somewhat enlightening and useful to the multifaceted “identity” community out there, and to those shepherding websites who are wondering what these two oft-mentioned beasts are, how’re they’re different/similar/alike, and also nominally how they work.

=JeffH sez check it out.

I’ve updated the SAML-lSSO and SAML OpenID Profile specs just to bring them up-to-date with the latest revisions of various SAML and OpenID specs and to fix minor editorial issues. The SAML-lSSO spec is presently not a current IETF Internet-Draft — it’s prior version expired a few months ago. We’re thinking about whether we want to pursue that spec “officially” or not. The issue with it being that in implementing it, one can optionally turn security completely off — which is a “feature” various folks advocating for so-called “open Internet” identity management desire. But SDOs such as IETF, OASIS, W3C, Liberty Alliance, etc all would look askance at blessing such a spec. In fact the IETF definitely would not allow it to go forward in that they have an explicit policy against promulgating insecure protocols.

The SAML OpenID Profile is a simple hack I threw together a year or so ago (in a single afternoon) to prove the point that there’s nothing OpenID accomplishes protocol- and user-experience-wise that is inherently un-do-able with SAML. [1]

Anyway, here’s the links to said specs…

SAMLv2 Lightweight Web Browser SSO Profile

OpenID-SAML Lightweight Web Browser SSO Profile - Draft 02

=JeffH sez check ‘em out.

[1] Note that I’m not claiming that they are equivalently “easy” to implement. By “implement” I mean to write code implementing the protocol on both or either the Relying Party or Identity Provider (aka OpenID Provider) side. Also note that I don’t use the term “implemneting” as a synonym for “deployment”. Also, I am not claiming that they are equivalently “easy” to deploy. Almost all the artifacts of deployment are inherent in how a protocol is implemented. A “feature” that’s often claimed about OpenID as a differentiator is that anyone with a minimally capable hosting environment can field an OpenID relying party. I.e. they don’t need root access, nor access to their webserver configuration, etc. In fact, the same is true with some (all?) of the “scripty” SAML implementations, e.g. ZXID being a case in point.

Andreas Åkre Solberg writes on his Feide blog..

simpleSAMLphp 0.3 is launched. Most interesting in this new release is the SAML 2.0 IdP functionality. The documentation is not covering everything in detail yet, but it should be sufficient to get something up running.

The simpleSAMLphp 0.3 package also features a Shibboleth 1.3-compatible SP written in PHP.

Here’s someone — Phil Duba — out in the wide web-developer world who’s picked up the SAML specs, largely figured them out, and is working on integrating it (SAML-based SSO) into sites built with Cold Fusion…

SAML and ColdFusion - Part 1
http://www.philduba.com/index.cfm/2006/12/29/SAML-and-ColdFusion–Part-1

SAML and ColdFusion - Part 2
http://www.philduba.com/index.cfm/2007/2/9/SAML-and-ColdFusion–Part-2

Cool Stuff.