Enterprise Architecture: From Incite comes Insight...

Patrick Harding comments that wide-spread use of user certificates never materialized and how SAML is a better model...



I figured I would analyze his posting to see if alternative perspectives can emerge...

As such we at Ping have struggled to justify the value of SAML in these entrenched PKI communities that already rely on user digital certificates for authentication and cross-domain web SSO

Maybe the issue is that Ping is attempting to do this as part of a sales process and is attempting to bite off more than it can chew. Consider that the pharmaceutical industry uses digital certificates extensively and the decision was made by a consortium of large entitities such as Pfizer, Merck and others. Of course a company such as Ping would love to think of the sales opportunity of selling to this demographic but reality states that the sales model may actually be the problem.

Their issue is that digital certificates are not well suited for conveying directory based attribute information, such as user role and group designations, that is used for making authorization decisions.

Have you considered that the problem might not be in discussing the limitations of digital certificates and instead may require a discussion around the limitations of enterprise applications? Do you think it is possible that Pfizer could allow Merck to access their Documentum infrastructure by expressing runtime authorization via a standard protocol? The answer is no as many software vendors that are part of the ecosystem have busted authorization models.

It becomes difficult to assert something at runtime if software is written with the notion of provisioning upfront. For example, in Documentum, I only have two choices. I can either have a proxy user or I have to register each and every user in advance. There is no way to dynamically assert identity without provisioning/syncronization. For federation to work in this scenario, you don't need to sell the enterprises, you need to help other software vendors understand the importance of changing their code.

While they will continue to authenticate users and systems with certificates, they plan to leverage SAML Assertions to communicate user attributes between applications in different domains. These attributes will be used to make authorization decisions.

Maybe the problem is that you are attempting to constrain the conversation to something that may not work or be sub-optimal for the vertical you are speaking with. Yes, one can use attributes to make authorization decisions, but there are many scenarios where SAML carrying XACML makes much more sense. Not all authorization decisions fit into name/value pairs nor is it sane to attempt to shove it in.