>> If OpenID is just a lightweight SAML, all I need to do is stick a protocol gateway on the front of the SAML endpoints we already have, and be done with it.<br>For the use case I described of mainstream websites, I would agree that for years, they have been asking for the same type of MINIMUM functionality for federated login, and most of the technical requirements of that would be met by SAML. However, that still leaves a lot of unsolved usability/discoverability/outsourcing problems whose solutions end up being pretty close to the ones the OpenID community has been passionately pursuing for the claims based concept. But I say MINIMUM functionality because the companies who run those large sites certainly see opportunity in other functionality the identity industry is pursuing, whether it be claims, social integration, personal web services, etc. In fact, federated login by itself does little other then increase their user registration success rate.<div>
<br></div><div>What is less clear is whether/how those other pieces of functionality have to be tied into the login process. There are already plenty of sites who don't do federated login, but use aspects of claims based identity (such as Blog/Profile URL validation), personal web services (OAuth), etc., social integration (OpenSocial).</div>
<div><div><div><br></div><div><div><div><div><div><div><div><div><div class="gmail_quote">On Thu, Dec 4, 2008 at 3:41 PM, Peter Williams <span dir="ltr"><<a href="mailto:pwilliams@rapattoni.com">pwilliams@rapattoni.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div lang="EN-US" link="blue" vlink="purple">
<div>
<div>
<div><div class="Ih2E3d">
<div>
<p><b><span style="font-size:10.0pt;color:#1F497D"> </span></b></p>
<p>. A mainstream website might trust any IDP who is
hosted by a known SaaS vendor. However for the longer-tail we may see a
need for companies who build a business out of validating the UI/reliability of
IDPs and selling those lists to other websites.</p>
</div>
</div><div>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p style="border:none;padding:0in"><span style="color:#1F497D"> </span></p>
</div>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">This seems very SAML-notion centric, based on architectural forms
~5 years old. </span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">Isn't the ___user___ supposed to be in charge, in OpenID?</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">Isn't that the CRUX of what openid is all about and
what makes it different to SAML (other than needing SSL/PKI and using
name/value pairs and XRDS markup …instead of the SAML markup and xmldsig?)</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">OpenID is not an idp-centric federation concept . OpenID is not
an sp-centric federation concept. It CLAIMS/CLAIMED to be a user-centric (federation)
concept – a model seekingto differentiate itself from the well-known hangups
of the previous 2 concepts.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<div style="border:none;border-bottom:solid windowtext 1.0pt;padding:0in 0in 1.0pt 0in">
<p style="border:none;padding:0in"><span style="font-size:11.0pt;color:#1F497D"> </span></p>
</div>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">I have to admit, from the trends I see, and in the hands of
the "big players": OpenID is turning into a simple lightweight version
of SAML2, featuring the idp-centric model. If one uses the unsolicited assertion
model, it does do a damn good impression of SAML1, too.</span></p>
<p><span style="font-size:11.0pt;color:#1F497D"> </span></p>
<p><span style="font-size:11.0pt;color:#1F497D">I have to admit I don't think we in realty, could really care
less. But, what was always interesting/revolutionary about openid was the
model, not the swap of bits. If OpenID is just a lightweight SAML, all I need
to do is stick a protocol gateway on the front of the SAML endpoints we already
have, and be done with it.</span></p>
</div>
</div>
</div>
</div>
</div>
</blockquote></div><br></div></div></div></div></div></div></div></div></div></div>