<html><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; ">
Peter,<div><div><br><blockquote type="cite"><div id="idOWAReplyText54069" dir="ltr"><div dir="ltr"><font face="Arial" color="#000000" size="2"><span class="Apple-style-span" style="color: rgb(0, 0, 221); font-size: 12px; -webkit-text-stroke-width: -1; ">As of this month, at least 1 US university that could not do WebSSO with Google Apps now can (I hope this is true! ... via Shibboleth2 software). This month, a<font face="Arial" size="2">t least 1 OP that didn't publicly do SAML2... now does, motivated also by the desire to let its outsourcing customers also talk to Google Apps. The way Google did their websso nicely promotes IDP outsourcing, with trivial setup. This will align nicely with AX, which clearly promotes similar outsourcing notions. The move is on! Infrastructure vendors who promote WebSSO silos, are out!</font></span></font></div></div></blockquote><div><br class="webkit-block-placeholder"></div><div>It certainly is true of multiple universities -- USC most prominently -- and Google's support for federated identity standards is great. We're also thrilled about Microsoft DreamSpark and its Shibboleth-based validation mechanism. Students aren't interested in even having a .edu email address today, so federated identity was the obvious solution to the problem.</div><div><br class="webkit-block-placeholder"></div><div>These are very large, prominent applications, though. There are many other ones that are equally important but forgotten. About a year ago I worked with some folks from Max Planck who were trying to set up federated identity for a distributed system for recording information about rare languages. It was clear that the tools of the time were too heavy and complex for their needs. On the other side of the spectrum, NIH is exploring federated identity and they need stronger authentication and identity-proofing than most campuses can supply today.</div><div><br class="webkit-block-placeholder"></div><div>We have a lot of work to do in both directions to support most services.</div><br><blockquote type="cite"><div id="idOWAReplyText54069" dir="ltr"><div dir="ltr"><font face="Arial" color="#000000" size="2"><font face="Arial" size="2"><span class="Apple-style-span" style="color: rgb(0, 0, 221); font-size: 12px; -webkit-text-stroke-width: -1; ">On using theTestShib to make a trial of the Shib2 SP provider for IIS7, the problem is surely also me and my technical limits: Im really struggling to generate an flow against the TestShib2 IDP. But, the scenario is forcing me to learn new tools and new management systems, just as deploying JanRain's .NET OpenID consumer forces one to first learn all about Mono, Boo, and xvm webserver for Win32.</span></font></font></div></div></blockquote><div><br class="webkit-block-placeholder"></div><div>After you set your clock correctly, it looks from the IdP side like things are okay. Is there another problem you're encountering that I could help with?</div><blockquote type="cite"><div id="idOWAReplyText54069" dir="ltr"><div dir="ltr"><font face="Arial" size="2"></font></div></div></blockquote><br><blockquote type="cite"><div id="idOWAReplyText54069" dir="ltr"><div dir="ltr"><font face="Arial" size="2">OpenIDs main contribution is clearly yet to come. It will lie in the trust model area, not the current binding of name/value pairs onto http redirects.</font></div></div><div id="idSignature60347"><font face="Arial"></font></div></blockquote><br></div><div>I absolutely agree. A few co-authors and I wrote a little article for IEEE exploring ways to make SAML handle a more distributed trust model. The reconciliation of identity asserted by users and their trusted webs of friends versus the traditional proofing techniques required by organizations is fertile ground, and I would love to see the OpenID community pioneer this. It's perfectly situated for this crucial work.</div><div><br></div><div><a href="http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.jsp?&pName=security_level1_article&TheCat=1001&path=security/2008/n2&file=bsi.xml&">http://www.computer.org/portal/site/security/menuitem.6f7b2414551cb84651286b108bcd45f3/index.jsp?&pName=security_level1_article&TheCat=1001&path=security/2008/n2&file=bsi.xml&</a></div><div><br></div><div>Take care,</div><div>Nate.</div></div></body></html>