Subject Re: Knowledge base for SAML2 product interoperability?
From "RL 'Bob' Morgan" <rlmorgan@xxxxxxxxxxxxxx>
Date Tue, 21 Apr 2009 09:18:34 -0700 (PDT)

It would be nice to have a knowledge base for this kind of issues so that everyone does not need to start from zero.

I participate in OSIS ( OSIS was started as a venue for coordination of open-source projects (and Microsoft) regarding Information Card implementation. It has evolved primarily into a vehicle for doing detailed interop testing, as you can see from that page. The has been just about entirely done by implementers as opposed to deployers, since that's kind of where that technology is these days. It has also evolved to include testing of OpenID implementations (and led to a discovery this week of a major hole in the most-used libraries ...), though there's much less OpenID participation so far.

In the spirit of convergence and inclusion (the theme of a big event I was at yesterday:

), people would like to see SAML testing happen via OSIS too. It is entirely open (no fees, no budget, no t-shirts, ...), and for Information Card at least there has been unashamed multi-vendor participation. So it's an option. For Information Card and OpenID the structure is a list of detailed tests rather than "I tried X with Y and Z and it didn't work", but given the different use and maturity of SAML I'm sure people would be open to different ways of doing things.

Public SAML testing thus far has meant participating in the Liberty formal compliance process, which is big and complete and expensive and marketing-driven. The existence of that stuff has perhaps meant less need or energy for the less-formal kind of testing that has happened via OSIS for the other protocols. I think there's room for both. Creating feature-test lists is a lot of work, which someone would have to do.


 - RL "Bob"