Friday, December 22, 2006
Integrity in comparing SAML vs WS-Federation...
Hubert A. Le Van Gong just put up the most uncredible comparison of SAML vs. WS-Federation I have ever ran across. I have to share my two cents...
In his posting, he states that since the comparison was done by the Government of Denmark and that it implies impartiality. Nothing personal, but government enterprise architecture is a big fat joke that is not just limited to the folks at the Department of Homeland Stupidity but is equally pervasive in all governments. Notice that they didn't actually share any use-cases on how they would actually use federation, merely their conclusions that seem to not be rooted in anything tangible.
While they have stated requirements none of them are capable of filtering. How long do you think it would take for me to find on google, a government RFP for say a J2EE application server, where they ask Sun if they support Java? I bet I could even find a government entity asking Microsoft if they support Windows.
I really love the criteria regarding assessment by analyst companies. I bet they had a really deep conversation with an analyst from a large firm who told them about best practices such as federated identity projects need executive sponsorship, why you need to figure out a strong ROI and other cliche phrases that are generally applicable to any IT project. Does this mean that because an analyst isn't covering that it doesn't provide value? If that is the case, the we all need to throw non-commercial open source in the shitter because it will stop working unless government folks get insight from analyst firms.
The government also desires standards but prefixes which standards bodies it prefers (e.g. Oasis). I guess this means that I should also throw J2EE in the shitter because it is not endorsed by my favorite standard body (e.g. W3C). For this to have integrity, they need to define which standards bodies are meaningful in their context and more importantly why.
The test of usability in production is also biased as I am pretty sure that if they picked up the phone and actually asked Microsoft for references they would have provided. Are you saying that they couldn't find a single enterprise on the entire planet that has used WS-Federation in production? I know of several without actually thinking too hard on it. I suspect this is relying on industry analysts too much instead of doing their own homework. Maybe, those Danish folk need to talk to us Americans and learn something.
The only criteria that has a scintilla of integrity may be interactions with other standards such as XACML and SPML which they list as an advantage. You probably know that while SAML and XACML go together nicely, not a single product including the one from your employer does anything with it. You might want to check out Pat Patterson of Sun and check out these same questions I asked of him several weeks ago. Likewise, no one today is doing anything meaningful with combining SAML with SPML in terms of identity management, but I bet some industry analyst who couldn't tell his bleep from a hole in the ground may have lead them to believe that this stuff is deployed in production via commercial software and is pervasively implemented...
| | View blog reactionsIn his posting, he states that since the comparison was done by the Government of Denmark and that it implies impartiality. Nothing personal, but government enterprise architecture is a big fat joke that is not just limited to the folks at the Department of Homeland Stupidity but is equally pervasive in all governments. Notice that they didn't actually share any use-cases on how they would actually use federation, merely their conclusions that seem to not be rooted in anything tangible.
While they have stated requirements none of them are capable of filtering. How long do you think it would take for me to find on google, a government RFP for say a J2EE application server, where they ask Sun if they support Java? I bet I could even find a government entity asking Microsoft if they support Windows.
I really love the criteria regarding assessment by analyst companies. I bet they had a really deep conversation with an analyst from a large firm who told them about best practices such as federated identity projects need executive sponsorship, why you need to figure out a strong ROI and other cliche phrases that are generally applicable to any IT project. Does this mean that because an analyst isn't covering that it doesn't provide value? If that is the case, the we all need to throw non-commercial open source in the shitter because it will stop working unless government folks get insight from analyst firms.
The government also desires standards but prefixes which standards bodies it prefers (e.g. Oasis). I guess this means that I should also throw J2EE in the shitter because it is not endorsed by my favorite standard body (e.g. W3C). For this to have integrity, they need to define which standards bodies are meaningful in their context and more importantly why.
The test of usability in production is also biased as I am pretty sure that if they picked up the phone and actually asked Microsoft for references they would have provided. Are you saying that they couldn't find a single enterprise on the entire planet that has used WS-Federation in production? I know of several without actually thinking too hard on it. I suspect this is relying on industry analysts too much instead of doing their own homework. Maybe, those Danish folk need to talk to us Americans and learn something.
The only criteria that has a scintilla of integrity may be interactions with other standards such as XACML and SPML which they list as an advantage. You probably know that while SAML and XACML go together nicely, not a single product including the one from your employer does anything with it. You might want to check out Pat Patterson of Sun and check out these same questions I asked of him several weeks ago. Likewise, no one today is doing anything meaningful with combining SAML with SPML in terms of identity management, but I bet some industry analyst who couldn't tell his bleep from a hole in the ground may have lead them to believe that this stuff is deployed in production via commercial software and is pervasively implemented...
