Simon Fell > Its just code > SSO Token discovery

Thursday, July 28, 2005

Over on the sforce blog Benji outlines some of the issues we ran into developing SSO for salesforce.com, in particular why a pure SAML approach doesn't work for us. (but BTW, if you think SAML is the best thing since sliced bread, you can still use SAML with our solution). There are issues over supporting SAML in all the different ways to communicate with our service (web based app, XML-RPC, SOAP), but by far the bigger issue is that no standard bootstrap. What I mean is, yes there are standards for sending that SAML assertion over SOAP, but there's no standard to get that SAML assertion to start with. What's missing from the SSO picture for web services is the discovery phase, as a WS-Client how do I find out where I can get a SAML assertion from, and once I've found one, what do I need to send to that service to get a SAML assertion. Various vendors have solutions to this problem (and they're all different), but there doesn't appear to be any standard in this area. cmort suggested that InfoCard might solve this, but that's seems a long way out. Who out there is doing SSO for Web Services work ?