Tim Bass responds to my objections to his earlier article on the immaturity of modern identity protocols. He makes the valid point that the maturity of a technology should not be measured by the time it has been available, but by the level of adoption and actual deployment numbers:
“On other other hand, I am measuring “maturity” by actual usage, and the
proof of security solutions is in the actual adoption, not simply years
of standards activity and vendor marketing.” (Tim Bass)
I fully agree with Tim that this is a very important factor in evaluating the maturity of a given technology, probably more important than the technologies availability. In fact, my earlier post was not very clear on this. On the other hand, I do believe that an extended peer review with subsequent revisions does contribute to the maturing of a given technology.
It turns out that SAML and its related technologies (Shibboleth and Liberty) excel in both these requirements for maturity:
- As I pointed out earlier, SAML (the concepts as well as the technology) has been peer reviewed since 2001 by a number of very different organizations such as OASIS, Liberty Alliance, and Internet 2. This extensive review process resulted in two subsequent versions, that incorporated security fixes and enhancements, as well as new features. It has very broad community and industry support from open source projects, universities, and companies like Microsoft, Oracle, Novell, HP, Sun and many, many others. For more information take a look e.g. at Eve’s blog or Scott’s presentation.
- SAML has been deployed on a very broad scale. There are a number of not-so-visible financial and telco deployment that are huge, but also the highly visible higher education deployments (see here). In fact, there are few (if any) other web centric identity related technologies that can boast an adoption comparable to SAML.
So, at the end of the day, I still maintain that Tim’s assessment of SAML as an immature technology is – at least – incomplete.
tag: saml, identity, protocols, cybersecurity, standards