Call me sentimental … but when I started to think about writing this post, I immediately flashed on that great Lennon and McCartney song, “With a Little Help from My Friends.” Read on and you’ll see why.
Response to the unveiling of “Geneva” at the PDC last week has been outstanding! If you thought all those blogs about the Identity Metasystem were just talk … this is Microsoft putting its money where its mouth is. Improvements over ADFS and CardSpace v1 are huge. The Microsoft Federated Identity server, framework and client teams have worked long and hard. Every one of them deserves a curtain call with a standing ovation. It was particularly heartwarming to see Pamela’s acknowledgement of the Federated Identity team’s labors and accomplishments.
“Geneva” comprises a rich claims-based access feature set that will deliver on much of the promise of the Identity Metasystem vision. I just want to focus on the SAML 2.0 protocol support in this article. In the hope of being able to submit “Geneva” Server to the Liberty Alliance interoperability testing program, Liberty Interoperable, we have targeted the IdP Lite and SP Lite Operational Modes from the SAML 2.0 Conformance Requirements specification, plus the GSA Profile which is referenced by many governments around the world. That is still a lot of functionality and we had to determine what customers really needed so we could prioritize our development process accordingly. Microsoft did not do this alone. We had a Lot of Help from Our Friends.
We have been working with customers and other vendors for over a year to determine what features of the SAML 2.0 protocol are most commonly deployed. They unanimously agreed that the Web SSO Profile is what matters most. Based on actual customer deployments – augmented by extensive consultation with experts from the Shibboleth community, and precious insights from other vendors, including IBM, Ping Identity, SAP and Sun Microsystems – the SAML 2.0 feature prioritization for “Geneva” Server looks like this (in descending order).
- Web SSO AuthnRequest : HTTP redirect
- Web SSO Response : HTTP POST
- Identity Provider Discovery : Cookie
- Web SSO Response : HTTP Artifact
- Artifact Resolution : SOAP
- Single Logout (IdP-initiated) : HTTP redirect
- Single Logout (SP-initiated) : HTTP redirect
- Enhanced Client/Proxy SSO : PAOS
Patrick Harding, from Ping Identity, provided a most eloquent confirmation of the “Geneva” plan.
Ping Identity has partnered with Microsoft on numerous federated identity initiatives over the last few years – from the early work on WS-Federation to the more recent Information Cards interoperability events. It was extremely gratifying to have Microsoft recognize Ping Identity’s market leading success with SAML 2.0 when they reached out to us to ensure that Microsoft’s SAML 2.0 Web SSO profile implementation in its upcoming products will successfully interoperate with PingFederate.
Microsoft’s support for SAML 2.0 is a watershed moment in the identity management industry as it now allows deployers to focus on the business value of Internet SSO rather than concerning themselves and their business partners with protocol choice. Microsoft’s decision to focus on the IdP Lite, SP Lite and eGov interoperability profiles for SAML 2.0 also matches Ping Identity’s expectations as to what is the minimum bar necessary for deployers to successfully leverage SAML 2.0. I am looking forward to continuing to work with Microsoft to solve the next set of issues that will allow us to further simplify the effort involved in establishing federated identity connections.
Congratulations to all at Microsoft who were involved in enabling SAML 2.0 in Geneva.
We are working our way down the SAML 2.0 feature list above As anyone who has ever developed software knows, code isn’t finished until you test it. And that meant testing “Geneva” Server to prove its interoperability with other implementations. Again, we got a Lot of Help from Our Friends. We owe a huge debt of gratitude to the Shibboleth community (Scott Cantor from The Ohio State University, and Jim Fox from the University of Washington, in particular), IBM (Tony Nadalin, Shane Weeden, Neil Readshaw) and Ping Identity (Patrick Harding, Tom Doyle, Pasha Beneson).
We would not have finished the “Geneva” beta in time for the PDC without this incredible outpouring of help from the community. On behalf of Microsoft I extend our heartfelt gratitude. I guess this shows that the Identity Metasystem is bringing people together, as well as technologies.