[OpenID] Speed of deployment of open source vs "commercial federation servers" - "auto-connect" and metadata

[Peter Williams]

I don't think marketing claims like the following help websso (and openid specifically) takeoff:

http://img.en25.com/eloquaimages/clients/pingidentity/%7b7fda0d17-0c11-4979-9e81-ddb9744c83b1%7d_rapidsecureinternet_sso1.jpg

I just went through -- with a novice websso partner (who is no longer a novice) -- a 3 day implementation of a bilateral connection using uninett's websso php open source toolkit. That toolkit supports openid (v1.1, I'm guessing), Shib1.3 and a passable though partial implementation of SAML2. There is good reason to believe the partner tested with others sites, during their interoperability testing, too. Good for them! It was fun reading the PHP, and seeing how simple XML can be to handle as a long string, if you just avoid those Java APIs for SAML2 from Georgetown Uni!

Though the partner used the SAML2 path through the src library, Im guessing it would only now be an additional half a day for them to also turn on the openid port. I'll prod them to do this.

To now be fair to Ping Identity (who have long supported openid) having been a little critical, they are obviously promoting their new "auto-connect" model. Discover the IDP's metadata automatically based on a user's email address' domain name ...and pull it down right then and there during sp-initiated websso (given a whitelist of DNS domains), much as openid2 does something similar with XRDs during openid auth. Instead of an XRD xml file having service endpoints and delegated IDs, the SAML signed metadata does the same for either a set of indexed set of std URL endpoints or (if one profiles the SAML2 generics further) your own custom svc URLs/endpoints. We should analyse the degree to which this model emulates the  XRD published by OPs (in the OP-Identifier invocation model of law #4) and/or the XRD published by users (treating each SAML_SUBJECT as an IDP, in openid/UCI fashion.)