SAML Sets Sail

According to Dave Kearn’s post (H/T, Matt Pollicove & Lance Peterman) it makes little sense to continue developing for SAML, that is, it is headed down the legacy path.

… Craig stood up at the podium and announced to the world: “SAML is dead.”

This was off the chart because, well, SAML (Security Assertion Markup Language) is at the heart of most of Ping Identity’s products. And Ping Identity was our host. Predictably, Ping employee tweets immediately sought to reassure their followers that SAML was alive and well. What they neglected to take into account, though, was context.

Context is important for Identity Services as I’ve said over and over again for at least 10 years (see “Identity and privacy: it’s all about context”). But context is also important for understanding the spoken word.

While Mr. Kearns has been saying context is important for ten years, the rest of educated civilization has known about it since at least Aristotle and formally since the medieval period and ignoring it.  When people respond emotionally to a claim “SAML is dead.”  It’s because the claim is having its intended effect.  Context-less shock value remarks are designed to excite.  Sound bites become tools of mass media perception management.  Opponents are taken out of context intentionally; when strong emotions kick-in, we stop reasoning.   There is always someone declaring one thing or another dead that is not.  Nietzsche declared God dead which caused a lot of furor.

Along those lines, Kearns notes the following in his article.

Most of the other analysts agreed with Craig (as did many of the attendees, especially those who were in his audience.) Some pointed out that other, seemingly dead, authentication protocols (such as IBM’s RACF and Top-Secret) were still used by many as were programs written in COBOL.

But far from being an argument against Burton’s pronouncement these are actually supporting evidence for his claim that SAML is dead. Because RACF and COBOL are also “dead,” at least in the sense Craig meant.

Good point and it pays to remember that technology does not disappear from the earth; no technology is ever really dead.  Can you still purchase, Windows for Workgroups, a typewriter, a stone ax or tan a hide with brains?  The question is rhetorical.  Pick up a Sears & Roebuck catalog from the late eighteen hundreds, you will find every item listed still available from someone.

So when people say a technology is dead they really mean it has moved closer to obsolescence.  All technologies, whether original, re-invented, rediscovered or misused from ignorance (XML for data management) will follow the S curve evolutionary path.  This has been generalized from observation across many complex systems.

Finally, it doesn’t surprise me that SAML is on the way out, in fact, I am just surprised it was used at all.  Anything we wish to represent in a computerized database requires that we build a conceptual model discarding items as we go.  Sometimes we start with simple models, adding layers of complexity as we go, other times we start with really complex models, adding confusion as we go but in both cases conceptual modeling is subjective, it is in the “eye of the beholder” as the cliche goes. And to do this process well,  it is essential that we begin with a good definition of terms  to remove ambiguity so that our model is internally consistent and used consistently.  Whenever the meaning of terms changes in a way that is not a simple extension, our “model is dead” so to speak and we are really starting a new conceptual model.  This can happen when the process/system outside we are modeling changes in an observable way, our understanding of the process changes, or a large vendor needs to sell a new solution into which they poured a lot of money and it doesn’t fit into the old model.  When this happens, industry standards groups are formed or even better the government is co-opted into making it law so it can resist innovation and all efforts to improve.

Once the concept model is built we need to capture as much meaning as possible in the computer and structure that data so we can manipulate it with constraints acting as meta-data.  Typically we do this with a database.  Once the data is stored we will need to periodically exchange it which means that we only need to know what it is we are passing (the data) and it what it means (the conceptual model).  It does not follow that one must use xml to accomplish the foregoing and since xml is hierarchical we have to parse a lot of paths to get to the data, that is not particularly easy for large specifications.  Therefore, it comes as no surprise that SAML is on the way out.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s