WS-federation is enabled with 'Geneva' and obviously also SAML V2.0 support

Yesterday I had the pleasure of attending an Architecture session with Vittorio Bertocci on Identity Management and the Geneva server/Framework. Though he claimed not to be trustworthy since he's both Italian and long-haired, I found it quite the opposite. His presentation was right-paced and with a fine live demo that he handlede greatly with his tablet (envy). It inspired me to ask enough questions that I somehow qualified myself for a copy of his book Understanding Windows CardSpace: An Introduction to the Concepts and Challenges of Digital Identities, which he unfortunately didn't have with him!

The talk was on all the Geneva stuff (earlier Zermatt, not that I knew). My take away was that ws-federation (and ws-trust with it) now had full product support and that MS sees that combined with the claim-thing as a big solver for the architectual complexity of handling identity. There were several questions on SAML V2.0 support, that has had quite a pickup in Denmark. The short answer was that IdP Lite support was there and that SP Lite was expected to follow later. I was disappointed to hear this but today I found a positive source that not only is SP Lite implemented, it has undergone som interoperability tests with Ping and underway is maybe even a conformance test with Liberty - it can all be read in “Geneva” SAML Interop … With a Lot of Help from Our Friends.

I still haven't found time and interest to delve in ws-federation and ws-trust, but it's becoming much more relevant. As for the clash between ws-federation and SAML at Oasis (Federation power fight in the backyard of OASIS) I haven't read or heard anything since but my best bet is that SAML V2.o is here to stay, but that I expect development to happen in lieu of ws-federation, since it's wider and has most of the big players. Also Sun who's had a central part in SAML is diminishing as a player.

There's more info on '/geneva': Identity Management ("Geneva" Simplifies User Access to Applications and Services), but apparently no all information is available yet, since I could not get any of the downloads from Geneva Whitepapers and Datasheet, except blank pages (in any browser). Another good place to look is the coverpages: Microsoft 'Geneva' Framework Supports SAML 2.0, WS-Federation, and WS-Trust.

The best language flower of the day was not from Vittorio, who had a solid but understandable accent, but by the host Rene Løhde that at the start of the session told Vittorio that when it was time for the break he would give him the stare and then he would break him! with Vittorio commenting that it didn't sound nice.

I've noticed that Rene has a related TechTalk next week Identitetshåndtering på nettet med Geneva FX (tidl. Zermatt).

Danish eGovernment Federation standard makes Microsoft support SAML 2.0 Token format

The fight between SAML 2.0 and WS-Federation has been present in Danish eGovernment for some time, and here the choice has fallen on SAML 2.0, being an OASIS standard with a fair product support. There's more background information on that on Denmarks choice of SAML as the federation standard.

Newly the Danish National IT and Telecom Agency (DNITA) has announced an agreement with Microsoft about partial support for SAML 2.0. The central part of the quote from the agreement is:

To support interoperability between WS-Federation and SAML 2.0 based products Microsoft has agreed to support the SAML 2.0 token format in the future release of Active Directory Federation Services code-named Active Directory Federation Services 2.

So it's only the Token format and it's not until the next version of ADFS, but god news is always welcome. It also mentions that WS-Federation has recently been submitted to OASIS, and adds:

This step further enables interoperability between federated environments that deploy SAML 2.0-based products and those that deploy WS-Federation-based products.

Well I'll say the jury is still out on that one as I've touch on in Federation power fight in the backyard of OASIS. As for the prior fight between SAML 2.0 and WS-Federation, I've found some articles like Microsoft Backs Web Services-Federation Against SAML 2.0 For Identity Federation and Vendors team on WS-Federation standard

Federation power fight in the backyard of OASIS

First there was the clash of reliable web services messaging in OASIS. Second the outlook for a potential double ISO standard for document formats and now the next power fight looks to be on federation standards inside Oasis.

About a month ago OASIS let the word out with a Call for Participation on Web Services Federation. So what's the party about? you might ask, well you can start by reading the complete mail - it's long, so at a glance it looks like a lot of work has to be done, I guess it's a draft for the TC charter. The reason I write looks like is that the work kicks off on a version 1.1 of the WS-Federation specification, and I can't tell how close a match there is between the charter and the latest specification. One evil thought is that since the description is so detailed it could look like an attempt to rubber stamp the submitted specification, but a bit more on that later.

Version 1.0

The two versions of the specification can be found on the IBM WS-Federation site. The first version of Web Services Federation Language (WS-Federation) from July 8 2003 is 41 pages. The WSDL has 9 wsdl:message's:

• SignOutMsg
• RequestSSOMessagesMsg
• CancelSSOMessagesMsg
• GetPseudonymMsg
• GetPseudonymResponseMsg
• SetPseudonymMsg
• SetPseudonymResponseMsg
• DeletePseudonymMsg
• DeletePseudonymResponseMsg

and 12 wsdl:operation's (spread over 6 wsd:portType's ):

• SignOut
• RequestSSO
• CancelSSO
• GetPseudonymResponse
• SetPseudonymResponse
• DeletePseudonymResponse
• GetPseudonymRequest
• SetPseudonymRequest
• DeletePseudonymRequest
• GetPsuedonym
• SetPsuedonym
• DeletePsuedonym

This initial version was developed by

• BEA Systems, Inc.
• IBM Corporation
• Microsoft Corporation
• RSA Security, Inc.
• Verisign, Inc.

Version 1.1

Web The second version (Version 1.1) is from December 2006 and has triple the original size with 124 pages. This version has some new participants and RSA missing (the new ones in bold):

• BEA Systems, Inc.
• BMC Software
• CA, Inc.
• International Business Machines Corporation
• Layer 7 Technologies
• Microsoft Corporation, Inc.
• Novell, Inc.
• VeriSign, Inc.

As for the WSDL for version 1.1 it's a bit strange. There's only one wsdl:message called SignOut and two wsdl:operation's in seperate wsdl:portType's. I haven't dived into the specification yet, so maybe all the former operations stick, though not likely and in Appendix I - WSDL there's an example with the text The following illustrates the WSDL for the Web service methods described in this specification and it references 5 specifications whereof only one is a standard:

• WS-Trust (OASIS Standard)
• WS-MEX
• WS-Eventing (W3C Member Submission 15 March 2006)
• WS-Transfer (W3C Member Submission 27 September 2006)
• WS-ResourceTransfer

one conclusion could be that since 2003 there has been a massive convergence (and spread over new WS-Star specs) that the majority of operations are defined in other specifications.

Counting points - the fight is on

In the mix of paranoia, conspiracy and facts it's interesting to read the comments resolution log (pdf). There has already been said and written a lot about this, here are a couple of my picks: Burton Group, Eve Maler and Tim Bray. As usual the coverpages has a great collection of resources.