IDABCs eGovernment Observatory brought this story out in English yesterday: The Danish IT Architecture Committee has decided to stand firm on SAML 2.0 as the recommended standard for federation.
Once broken into English, the story was quickly brought around internationally. SecureID News basically copied the IDABC-story, Danish Government says ‘yes’ to SAML 2.0 and encourages Microsoft to support those specifications.. Computer Business Review follow-up and talked to Liberty Alliance: Identity next public sector battleground for Microsoft?.
There is actually more to the story. First, the decision is actually more than a month old. The National IT Architecture Committee’s decision was made on 21 March. They did send out a Danish press release at that time, but it took a while to get the news out internationally. [maybe I should have blogged it …]
Anyway, let me dig into the story a bit. Because there is a bit more to it than the international coverage caught. Basically, the committee decision was about an open letter to Microsoft. Written by my former collegue, Søren Peter Nielsen from the IT-Strategic Office in the Danish Ministry of Science, Technology and Innovation, the letter to Microsoft, and sent via Microsft Denmark to Don Schmidt, senior program manager for Microsoft’s Identity and Access group, the letter is worth quoting at length:
In the Danish Ministry of Science, Technology and Innovation we have the responsibility to select and recommend IT standards for public sector usage as also create shared services for public sector. This work is undertaken in an open process that involves all levels of public sector institutions.
The Danish public sector decided early in 2005 to recommend using SAML 2.0 for federated identity and access management. This was among other based on the momentum for the standard in product support from various suppliers, plans for actual usage in public sector solutions worldwide, proofing og interoperability
through testing, and also very important SAML 2.0 being a ratified OASIS standard.We now understand that Microsoft has chosen not to support SAML 2.0 in the add-on to Active Directory that you has brought or soon is bringing to market.
We would like to understand your motivations for not supporting SAML 2.0 as basically every other supplier of identity and access management solutions support – or plans to support SAML 2.0. So far our only source for information has been news articles (as here) about your decision not to support SAML 2.0. These articles may not contain a valid representation of your message, and even if this is the case really their content doesn’t help us understand the Microsoft motivation. Based on this I have asked Anders to forward to following questions for you:
Does the article faithfully reflect the essence of your motivation for not supporting SAML 2.0? Assuming this more or less is true (and I will ask you to respond in all circumstances):
- You are cited saying: SAML 2.0 protocols are fine for strictly Web single sign-on. In your view is exchange of attributes, and assertions about access rights a part of Web single sign-on? Or do you assert that SAML 2.0 isn’t well suited for these tasks?
- You are cited saying: SAML 2.0 does not have reliable messaging or transaction support. As far as we can tell neither have WS-Federation, and obviously such functionality should be covered in standards that focus on reliable messaging and transaction, so is your position that SAML 2.0 will not work well with the standards for reliable messaging and transactions that OASIS is working to finalize?
- What other motivations does Microsoft have for not supporting SAML 2.0 in the currently released product?
Assuming the article is not true
- Can you supply us with the correct information about why Microsoft does not want to support SAML 2.0 in its current product?
- We understand that Microsoft has a big interest in WS-Federation as Microsoft has been the main driver in developing the specification. However, in the marketplace we see several vendors that in their product supports several standards like SAML 2.0 and at the same time the WS-Federation specification to allow customer choice. This tells us that it is a feasible task to add product support for both SAML 2.0 and WS-Federation. So even though Microsoft may feel that SAML 2.0 isn’t as well suited for the vision Microsoft is having for federation in the future why don’t you support it, and let your customers decide?
If you feel Microsoft supports customer choice in the federation space though not supporting SAML 2.0 can you please elaborate on what kind of choice it is that you support? Will Microsoft support SAML 2.0 in future products? ….snip….
I know Søren Peter is on holiday, so I can’t yet ask him about whether he got a response. I’ll be sure to ask him as soon as I see him.
[Disclaimers: a. I work for OASIS (SAML is an OASIS standard), and b. I was heavily involved with making SAML a Danish standard when I worked in the ministry.]