[Openid-specs-fastfed] FastFed Requirements

McAdams, Darin darinm at amazon.com
Wed Jun 7 21:04:10 UTC 2017


Anyone disagree with the tenet under discussion?

  #  Tenet 4) Push Implementation Complexity onto IdPs

The discussion has been about the numbers and ratios, but returning to the main question: if we face a choice between pushing implementation complexity onto an IdP implementer vs a SP implementer, does anyone disagree about pushing complexity onto the IdP implementer?

The IdP _administrator_ (as opposed to the implementer) is also important. When using a hosted provider, the admin should see FastFed capabilities “just appear” when the provider launches it. Admins running their own installation will upgrade to a newer release to get the capabilities. The heavy lifting has been done by their chosen vendor.

From: Openid-specs-fastfed <openid-specs-fastfed-bounces at lists.openid.net> on behalf of "openid-specs-fastfed at lists.openid.net" <openid-specs-fastfed at lists.openid.net>
Organization: Gluu
Reply-To: Mike Schwartz <mike at gluu.org>
Date: Wednesday, June 7, 2017 at 1:48 PM
To: "Hardt, Dick" <dick at amazon.com>
Cc: "openid-specs-fastfed at lists.openid.net" <openid-specs-fastfed at lists.openid.net>
Subject: Re: [Openid-specs-fastfed] FastFed Requirements

I agree that IdP vendors < SaaS providers; I don't agree that IdP's <
SaaS providers. But if we're talking about admins, why aren't we valuing
IdP admins?

Regarding the ratio... what we find is that the minority of SaaS
providers support inbound SAML (and almost none support inbound OpenID
Connect). That's why so many SSO services are still pushing passwords.

Generally, SaaS providers get serious about supporting SAML when they
get a critical mass of requests from their customers. At that point,
they can justify the SAML investment. So it's mostly just the larger
SaaS providers. Even fewer support OpenID Connect (almost none, Amazon
being one of the exceptions).

- Mike



On 2017-06-07 15:06, Hardt, Dick wrote:
On 6/7/17, 12:38 PM, someone claiming to be "Openid-specs-fastfed on
behalf of openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>"
<openid-specs-fastfed-bounces at lists.openid.net<mailto:openid-specs-fastfed-bounces at lists.openid.net> on behalf of
openid-specs-fastfed at lists.openid.net<mailto:openid-specs-fastfed at lists.openid.net>> wrote:
     More organizations have IDPs then SaaS providers support federated
     authentication. Frankly, SaaS providers only support federated
authn
     when they get enough demand from customers, which sort of speaks to
the
     ratio I am positing.
Mike: I’m confused what ratio you are implying here. Would you clarify?
_______________________________________________
Openid-specs-fastfed mailing list
Openid-specs-fastfed at lists.openid.net<mailto:Openid-specs-fastfed at lists.openid.net>
http://lists.openid.net/mailman/listinfo/openid-specs-fastfed

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-fastfed/attachments/20170607/76ecf838/attachment-0001.html>


More information about the Openid-specs-fastfed mailing list