Well I had a lovely day today with the super brains that form the SDSS Expert Group at Edina in Edinburgh, including the newest contractor for the group in the form of Chad La Joie. Whilst our focus was on talking about the bright and beautiful future of Shibboleth development, we spent some time talking about O-Auth and Open-ID…or for want of a better word the ‘O Factor’.
Every couple of years a new access management standard comes along and people tell me that SAML is dead, there is a new king, I need to move on. I smile sweetly, wait and watch patiently.
There is a concept that education in the UK needs the ‘O Factor’. I think this is perhaps confusing the use case and misinterpreting the technology requirements. What I often hear is ‘wouldn’t it be lovely if our users could have use their own identity and assign affiliation attributes to it’. This is often followed up by ‘OpenID will do that, right?’.
This is asking the wrong question and looking at the wrong requirement. As I have mentioned before, there is no real concept of a ‘user-centric’ or ‘user-managed’ identity. All of our personas and credentials represent our affiliation to one organisation or another (Facebook, Twitter, Bank, Institution) and these credentials are managed on our behalf by these organisations.
Sometimes, these organisations add certain authorisations to our profile (Bank, Institution). Sometimes they offer a useful personal identifier (Twitter). Sometimes they are merely useful routes in to a certain environment and we place no value on them (Facebook).
When institutions ask the question ‘Can our students use their own IDs?’ I think they are really asking ‘should we be in the business of issuing credentials?’. This is more akin to the conversation ‘should we outsource our e-mail?’ than a useful conversation of how to bridge the personal / affiliation space. I think if most institutions in Higher Education asked ‘should we be in the business of issuing credentials?’ the answer would inevitably be yes. For Further Education, this is still true…but they may chose to outsource the management of such credentials to a reliable third party. So perhaps we don’t actually need the ‘O Factor’.
There are other ways of looking at the conundrum. I accept that I might want to assert a personal identifier, such as my twitter name, instead of say an eduPersonPrincipleName when commenting on blogs. This mixes the personal and affiliated space nicely. However SAML attributes could easily make this possible…so again I see no need for the O Factor.
One of the many problems in the O-Auth and OpenID space is the ‘which implementation’, ‘which standard’ question. As we know with all standards, it is one thing to say ‘standard compliant’ it is another thing to actually interoperate with another standards compliant entity. Recent developments in the O-Auth and OpenID space have seen a proliferation of modules that make it very difficult to say whether one implementation will work with another. Major O-Auth rewrites at Yahoo and Google are proof of this pudding. SAML is not innocent in this space either, which is why I’m a big supporter of the SAML2-int-profile that I’m hoping most federations will cite as their basis of what it actually means to be ‘SAML compliant’. I fear many software vendors may shudder at this news.
One of the things we’ve been pushing with the Shibboleth Core Team for some time is ‘give us a concrete use case’. This means we are more than happy to investigate new and interesting directions for SAML implementations…but we need a concrete use case in place first that can help define real technical implementation. My invitation to you is to tell us, do you have a real concrete use case for the O Factor?
In more surprising news, it transpires that Ian Young has never seen Pinky and the Brain. How could you Ian? So especially for the SDSS team, here’s Pinky, the Brain and Chad…
Brain: All I have to do head past Duraway, cross Finland, and get to the ride controls which are just behind Chad.
Pinky: Chad who?
Brain: Chad the country.
Pinky: What a lovely name! Do you think it would suit me?
Brain: Personally, I think “Dolt” would be more appropriate.
Brain: Pinky, after I switch the tapes, I’ll met you near Chad.
Pinky: I’d like to meet Chad!
Brain: Chad is not a person!
Sorry Chad, you’re not a person. The Brain has spoken!
Thanks for a great article.
While I agree to most of your views; I don’t like that OAuth and OpenID are put under the same umbrella. OAuth is proven to work equally good in the SAML-world as in the OpenID world. And more importantly OAuth solves something that todays identity federations cannot to; let services exhange information about a principal (the current user) in an privacy enhancing way. The SAML world has some solutions for this, such as ID-WSF, but I don’t think it serves our use cases very well…
Unless it touches directly on access to learning materials or a service that can enhance the student experience in some way and only supports OpenID or OAuth, why would an institution bother taking on even more maintenance overhead? SAML works just fine user to service SSO internally. Meanwhile IMS Basic LTI is happily doing service to service OAuth between systems which at the user level use SAML for SSO.
Pingback: Backlink gratis dari situs PR 2 - PR 8 | Ganet Soekarno.com