I intended to make this my first live blogging entry from Digital Identity World this week, starting with Kim Cameron’s talk on the Laws of Identity. As expected, it was packed (in fact it needed a larger room — at least 30 folks were standing.)
But as it ended I was engulfed in followup conversations. Then Dick Hardt did a very cool presentation about Identity 2.0 and what it really means for it to be user-centric. (I’ve never seen a presentation in the style of Larry Lessig, to whom Dick attributed the format, but I’ll never think about powerpoint the same way again.) After that I got deep into a deep discussion with Paul Trevithick and Andy Dale about XDI architecture, which led to a highly enlightening conversation with Jamie Lewis in which he explained to me how he thinks the marriage between SAML and WS-Trust will really work.
Here’s the simple way to put it: if WS-Trust is “tubes for tokens” (Kim’s great phrase that for me immediately conjures up the byzantine pneumatic plumbing system in the movie “Brazil”), then SAML 2.0 is the “default token”. According to Jamie, WS-Trust provides a really good token tube, one that has smart “transformers” at each junction that can transform from one token format into another (what Kim calls “claims transformation”). But WS-Trust doesn’t know anything about the tokens. SAML, on the other hand, defines a very good token format, but not as strong a “token tube”.
So, put the two together by shipping primarily SAML tokens over a WS-Trust tube, then transforming them when necessary into other token formats like Kerberos or X.509, and you have a pretty good solution for interoperable identity assertions.
We’ll see how closely this matches to Jamie’s presentation tomorrow morning (always one of the highlights of the show), but it sure helped my understanding.