Craig Burton made quite a stir at the Cloud Identity Summit last week with the assertion that "SAML is dead". His claim was made based on his conservative estimate of 28 million APIs in the future, one for every person and every device. The question, when does this occur? Ping's Patrick Harding was the first to say at the conference that OpenID Connect may one day be able to replace SAML. And new identity service, PingOne, allows a connect-once, federate-many architecture. But point-to-point SAML federation between enterprises is far from dead and growing daily. Like the COBOL programming language, I think it will be around for a long time.
Anyhow, long-time identian Dave Kearns felt inspired to poetry by the event:

  • Dave Kearns: R.I.P. SAML
    "My colleague, Craig Burton, caused quite a stir at the recent Cloud Identity Summit when he declared "SAML is dead". The Twitterverse exploded in comment. After reflecting for a few days, I'd like to add a bit of doggerel to the discussion. To the tune of "Poor Jud is Dead" (and with apologies to Oscar Hammerstein II):"

There were several other items of interest to the identity community:


  • OIX: Respect Network Brings Together Neustar and Swisscom as Founding Partners of World's First Trusted Data Network
    "Specifically, the Respect Network is the first network being built from the ground up to give people control of their personal data and the ability to realize that data's value. Unlike centralized social networks, the Respect Network is a decentralized, multi-provider network much like today's email or banking networks. Additional partners in the network include Kynetx, Gluu, The OpenXDI Project, Project Danube, The Customer's Voice, Planetwork, and Bitworld. Ctrl-Shift and the Searls Group have also joined as lead consulting partners."
    [Mydex greets important Respect Networks news]
  • Some of the OpenID Foundation Summit July 2012 videos available
    "On July 16, 2012, we had OpenID Connect Interop and OpenID Foundation Summit in conjunction with the Cloud Identity Summit 2012, in Vail, Colo. Both sessions were very well attended. We decided to record some of the session. It was an on-the-fly decision, so not all session were recorded and some had glitches, but I hope it is better than nothing. So here they are!"
  • Nat Sakamura: Requirements to Digital Identity back in 2004
    "To prepare for the panel discussion at the Cloud Identity Summit 2012, I was looking back to my old blog posts. Then, I found this article "Requirements to Digital Identity" which was written back in 2004 in Japanese. Here is the translated version of it: (I have paraphrased them a bit to meet more modern terminologies.)"
  • Gunnar Peterson: Assume a Secure Endpoint
    "This is a snippet from my Cloud Identity Summit talk, there is an old physics saying- assume a spherical cow of uniform density. Thanks to Marcus Ranum we now have the infosec equivalent -   "the endpoints we have so far never made any successful effort to secure, which we will assume forthwith to be secure.""
  • Francois Lascelles: Returning from #CIS2012
    "It's beautiful and quiet at Vail Cascade this morning. As I stepped outside, I'm pretty sure I saw SAML scurrying away into the trees. This is weird given this week's proclamations that SAML was dead. Although we won't be rid of SAML anytime soon, I do look forward to enterprise adoption of the new kid on the block: OpenID Connect. Easier federation, OpenID Connect-style is already common for consumer identity providers; enterprise identity providers should take note and follow suit. As a vendor of API Management infrastructure, it's up to us to enable the enterprise to better reach out to its target audience. I see support for OpenID Connect as a key component in achieving this today."
  • Andrew Nash: The Identity Information Ecosystem is ready for Startups
    "The challenge is that Google for a host of reasons has to play an enabling role in the Consumer Identity/Attribute Exchange world. It can help create the playground, but does not get to have fun playing on the swings or monkey bars. Other companies have to develop the new business models, value propositions, use cases and solutions that will advance Consumer Information sharing models. I have decided (somewhat sadly) it is time to move from Google for a consumer identity information startup (yes, I am the kid that liked to leap off the swing at the top of its arc)."
  • Martin Kuppinger: SCIM and the Microsoft Graph API
    "Kim Cameron recently blogged about his view on SCIM and the Microsoft Graph API. Kim explains his view as to why SCIM and the Microsoft Graph API, which is related to the WAAD (Windows Azure Active Directory), are complementary. That reminded me of two older posts in my own blog: in 2010 I posted about an idea which Microsoft unveiled at a PDC (Professional Developers Conference) called system.identity; and last year, after SCIM has been announced, I published some of my thoughts about SCIM. Even while I didn't focus explicitly on relationships in the second post but more on the management of entitlements, there is much about relationships in there implicitly. And when looking back at the concept of system.identity (which, from what I see, influenced WAAD and the Microsoft Graph API) it is also about a concept which is much more about dealing with relationships and the ability to model a more complex reality than simply access protocols via LDAP."
  • The value of information - the reason for information security
    "If you've ever struggled with finding the argument for an investment in information security, here it is: According to a survey recently published by Symantec, 40% of the worth of organizations is derived from the information they own. The link goes to a German site and the extract of that survey specific to Germany but the report is in English. The global version can be found here. There are other interesting numbers: 57% of the German respondents expect a loss of customers and 48% brand damage in case of a leak of information (and breach notification). The global numbers aren't that different. On a global basis, information is estimated to be 49% of the organizations total value, while 49% expect loss of customers and 47% brand damage in a data leak event."
  • Jeff Hodges: RLBob: SUNet ID and the Registry and Directory Infrastructure
    "Primary among RL "Bob" Morgan's (aka "RLBob") many contributions during his time at Stanford Networking Systems, was being a key visionary and instigator behind the Stanford University SUNet ID project, as well as the underlying Registry and Directory Infrastructure."
  • John Fontana: Foundation gathering, open sourcing ID technology
    "The OpenID Foundation introduces a message bus with identity capabilities as part of a plan to create venue where ID technology can be vetted, open sourced and made available to enterprises, Web site operators and others."
  • John Fontana: Key mobile, API security spec set for IETF approval next week
    "The OAuth 2.0 Authorization Framework working group said Monday all outstanding questions on the spec have been answered and it is complete. The spec has been under review by the entire Internet Engineering Steering Group since April."


  • Phil Windley: My Own URL Shortener
    "Nobody likes link rot. Link rot breaks the Web. But in the age of Twitter, short URLs are a necessity. I think the best way to keep my short URLs from rotting is to take charge of the process myself. This post shows how I built a simple, reliable URL shortening service that runs under my control."
  • How simple is an OpenID Connect Basic client?
    "This is an updated post based on draft 20 the Basic Client Profile. Nat posted the original version in May. Update:  David Christiansen has translated the example code to C# if you prefer. OpenID Connect provides a lot of advanced facilities to fulfill many additional features requested by the member community. It is full of features that go beyond basic Authentication. However, that does not mean that it cannot be used for the simple case for "Just Authentication". Using OpenID Connect for Authentication is quite simple.  I will use the OpenID Connect Basic Client Profile to illustrate this."


  • First NSTIC steering group meeting set for Aug. 15-16
    "The private-sector group named last week to lead the effort to create a digital identity strategy known as NSTIC will hold its first meeting Aug. 15-16 in Chicago. In addition, the National Strategy for Trusted Identities in Cyberspace (NSTIC) will name in early September the winners of its pilot program to participate in a pilot program."
    [Bob Blakley, Citibank, issued a call to action for all identians to participate. He said, "This is what you've trained for all your life. This is your shot to apply your skill and expertise to something that will make a huge difference. Don't miss this opportunity."]
  • Internet Identity Workshop XV #15 - 2012B
    "Tuesday, October 23, 2012 at 9:00 AM - Thursday, October 25, 2012 at 4:00 PM (PT)
    Mountain View, CA"
  • European Identity Conference 2012
    "May 14 - 17, 2013 at the Dolce Ballhaus Forum Unterschleissheim, Munich/Germany, "
  • Cloud Identity Summit 2013 is Heading to Napa Valley
    "July 8-12, 2013 at the Meritage Resort"
    [And, yes, they do allow cigar smoking around the fire pit.]

Cloud Computing

  • Radovan Semančík: Clouds, Interfaces and Monsters
    "Clouds are everywhere. We got pretty much used to that buzzword. Open API Economy is quite new. But it is almost the same. What seems to be the mantra behind "Cloud" and "Open API Economy" is: Do not do it yourself. Scrap whatever solution you have now and replace it with the magic service from the cloud. It is a perfect, easy, cheap and simple solution. Or ... is it?"
  • OpenStack faces the terrible twos
    "OpenStack turns two this week. That means the open-source project -- which fancies itself the Linux of the cloud -- is entering a critical stage of its development process."

Valuable Identity


* Required Fields