Simon Fell > Its just code > July 2005
Over on the sforce blog Benji outlines some of the issues we ran into developing SSO for salesforce.com, in particular why a pure SAML approach doesn't work for us. (but BTW, if you think SAML is the best thing since sliced bread, you can still use SAML with our solution). There are issues over supporting SAML in all the different ways to communicate with our service (web based app, XML-RPC, SOAP), but by far the bigger issue is that no standard bootstrap. What I mean is, yes there are standards for sending that SAML assertion over SOAP, but there's no standard to get that SAML assertion to start with. What's missing from the SSO picture for web services is the discovery phase, as a WS-Client how do I find out where I can get a SAML assertion from, and once I've found one, what do I need to send to that service to get a SAML assertion. Various vendors have solutions to this problem (and they're all different), but there doesn't appear to be any standard in this area. cmort suggested that InfoCard might solve this, but that's seems a long way out. Who out there is doing SSO for Web Services work ?
I worked on the Single Sign On features in Salesforce.com, so its great to see Sxip step up and offer a complete end to end solution for it. Secure Single Sign-On and Centralized User Management Now Available for Salesforce.com.
JavaOne has been and gone, I wasn't there the whole time, but it was by far the largest conference I've been to, the sessions were a mixed bag, most of them too much like marketing efforts and not enough technical details for me, but Rich Salz's session on web services security was excellent. The panel session I was on seemed to go well (feedback welcome if you were in the audience), I'm hoping to get time soon to write up my current thoughts on interop, as I realize most of them are spread over a couple years worth of blog posts.