HP takes swipe at Sun/Microsoft SSO proposals

The two new Sun/Microsoft web single sign-on interoperability proposals, announced two weeks ago, are not all they were cracked up to be, according to Hewlett-Packard.

According to Sai Allavarpu, director of product management and marketing for security and identity management solutions at HP, despite the labeling and promotion, the specs do not promote interoperability at all.

The proposed specifications, Web Single Sign-On Metadata Exchange (Web SSO MEX) Protocol, and the Web Single Sign-On Interoperability Profile (Web SSO Interop Profile), provide syntaxes for disclosing the identity management protocol in use, and translating basic identity elements expressed in those protocols.

Allavarpu terms them negotiation specs between the Liberty Alliance (which has adopted the SAML 2.0 specification), and the proposed WS-Federation spec.

The specs were launched by Microsoft CEO Steve Ballmer and Sun CEO Scott McNealy, with much fanfare, as the first headline deliverable of the year-old antitrust settlement between the two companies.

Both standards have overlapping support from the vendor community. Currently, Liberty is backed by IBM, Intel, Novell, Oracle, RSA, and Sun. Meanwhile WS-Federation is being developed by IBM, Microsoft, BEA, Verisign, and RSA.

These announcements ask each one to learn both languages, said Allavarpu. That is not solving the problem on interoperability.

For instance, while Sun’s press release describes the proposals as measures to enhance product interoperability, the text from the Web SSO Interop proposal specifies that a common target service implementation MUST support both protocol suites.

The question is, how is this different from what current products already do? We already have solutions from HP, Novell, IBM and others that already support multiple protocols like Liberty, SAML, and WS-Federation, Allavarpu said.

Allavarpu characterizes the moves as initial steps. We are glad to see that Sun is taking some steps to get Microsoft back into the standards fold, he said.

He called on Sun and Microsoft to throw the process into the open via standards bodies, which both promise to do. Using Liberty Alliance as an example, he says the standards body that develops the spec should be comprised primarily of users, not vendors.

At the end of the day, Allavarpu wonders whether the world needs multiple single sign-on protocols anyway. SAML is more mature. WS-Federation has some good features as well. But does the market and the industry need two standards? he ventured, suggesting the solution would be a convergence of both.

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

Sign up for our regular news round-up!

Sign up for our weekly news round-up!

Sign up to the newsletter: In Brief

I would also like to subscribe to:

Thank you for subscribing