SAML with Joni Brennan, Paul Madsen and Prateek Mishra
Vittorio Bertocci: Buongiorno everybody and welcome! This is Identity, Unlocked. And I'm your host with Vittorio Bertocci. Identity, Unlocked is the podcast that discusses identity specifications and trends from a developer perspective. Identity, Unlocked is powered by Auth0 in partnership with the OpenID Foundation and IDPro. In this episode, we are going to discuss SAML, one of the most successful protocols in the history of identity. Someone has once declared that in a conference session 10 years ago, the recently passed identity giant Craig Burton. What he meant with that controversial statement was that although SAML enjoyed and still enjoys today, widespread adoption, that the specification was done. Hence, future scenarios were going to be handled by something else. 10 years later, OpenID Connect did emerge as a more modern approach. SAML is still a huge source of business for so many companies in our industry. For this reason, I thought to invite some of the protagonists of SAML to put this fundamental piece of our industry in perspective. And to do that, I'm doing something that I've never done in the history of Identity, Unlocked. I've invited three guests, three. Not one, not two but three. We have Prateek Mishra, Senior Director for Security Architecture at ADP. He was editor for SAML 1.0 and SAML 1. 1 specifications. He was the Co- Chair of OASIS SAML Committee and the Editor of the SAML 2.0 Conformance Specification. Then we have Paul Madsen, Head of Identity at HBAR Foundation, Editor of SAML Authentication Context Specification. And we have Jonni Brennan, President of DIACC, former Technology Expert Group Senior Program Manager, Liberty Alliance also known as chief cat herder of SAML Software Engineers. Welcome folks.
Joni Brennan: Hello.
Prateek Mishra: Glad to be here.
Paul Madsen: Are we protagonists or antagonists?
Vittorio Bertocci: Most definitely protagonists. So it is tradition of Identity, Unlocked that we start with the guests sharing their trajectory because usually people stumble into Identity. Identity is not often destiny, but it's just happenstance. So we are really interested in knowing how you ended up working in Identity with particular attention to your involvement in SAML. And given there is so many of you, we need to try to go with a condensed version. So Prateek, can we start with you? How did you end up working in Identity and in SAML, all the way to your current position today?
Prateek Mishra: Sure. Yeah. It goes back a little ways. SAML, as you know, originates in the OASIS in the 2000s. And at that time I was working for a company that had done a lot of good work in single sign on, which was a new idea then, still is to some people. The idea that you could log in and use the same credentials against lots of services at a company or a website. And they had this problem that once you logged in to a certain company or a website, then they wanted to transfer that information by some means to another website or to another company. And there was a lot of ferment at that time and that's basically how I got into Identity and then got into SAML. I haven't worked in Identity for a long time now, but I still do work in security and I enjoy staying in touch with the SAML alumni and in keeping an eye on the OIDC specs as well.
Vittorio Bertocci: Very nice. Thank you. Ultra fast. Paul, do you want to go next?
Paul Madsen: Sure. Well, I did indeed stumble into Identity. I actually stumbled into SAML because I had been working at another company and had some experience with SGML, Standard Generalized Markup Language, the ancestor of XML, a markup language that SAML used. So I had no expertise or experience in security or identity, but I had experience in XML. So I was hired by an enterprise identity management company to represent them on SAML.
Vittorio Bertocci: Can we name the company or do we need it to-
Paul Madsen: Sure it was Entrust. So historically a PKI company that was trying to evolve into that single sign on space that Prateek just described and they saw SAML coming and I guess they identified a need for XML expertise. So I became the XML guy and by proxy, the SAML guy. I started participating in the security services TC that was defining SAML with an absolute lack of insight or expertise on how the web worked and what SAML was building. So it was a fun initial period.
Vittorio Bertocci: Fantastic. And from there to today, what happened? Where are you today and what else did you do?
Paul Madsen: I stayed in that federated world and monitored and contributed to some extent the evolution of SAML, OIDC and OAuth, the next phase of that federated model. And then I left that world to join the block space world or the blockchain world thinking I was done with identity and not too displeased with that, but then the blockchain world of DLTs rediscovered identities. So I'm back.
Vittorio Bertocci: Very exciting. Thank you. I'm biting my tongue because blockchain.
Paul Madsen: I know.
Vittorio Bertocci: Very nice. Very nice. Thank you for sharing your story with us. Jonni, how did you end up here?
Joni Brennan: Definitely stumbled into Identity. I really started in the... I knew I wanted to work in the standards space, so I don't know that if that's unique or not, but I thought standards was something very interesting because it wasn't a single company or a single concept. It was really bringing different organizations and people together around a common idea. So I started with IEEE engineering society and I started with ISTO, a sub- organization. And I was working on supporting standards that were developing... And one of them was XML related. So voice XML, for example. And so I was supporting a number of standards that were developing and through that work of supporting multiple different organizations, one organization in particular, the Liberty Alliance was working on identity standards, industry standards for identity. And to me of all the work that was happening in the tech space, I felt that the identity work had a very impactful human quality, and I just felt this was going to be something that was around for a long time and would make a big difference hopefully in our lives for the better. So that's how I got involved. And I think that's also why I've stayed in the space for about 20 years now.
Vittorio Bertocci: Oh. Wow. 20 years. Amazing. And what do you do now?
Joni Brennan: And now I really learned about Identity through supporting the software engineers. So thanks for letting me be in this group, because I'm definitely not the developer. But I help the developers to do what they need to do, I hope. But moving on from that space from Liberty Alliance moved over to an organization, Kantara Initiative. Though I ran that organization for about five years focused on Identity Assurance. And then from there moved over to the Digital ID and Authentication Council of Canada, where we really get to focus on the Canadian ecosystem. And so my Identity a journey has gone from the technical implementation world to then understanding and applying those technical implementations across different risk scenarios and measuring compliance and trust across those different risk profiles and scenarios for standards out in the wild.
Vittorio Bertocci: Fantastic. Thank you so much for sharing your trajectory as well. And I have to say that I'm so happy that you guys agreed to do this because this plurality of experiences, we'll definitely give a very multifaceted holistic view of the thing that we are going to examine, which once again is SAML. So let's dig into it. And I would like to start with Prateek and start from the very beginning. Even before the beginning. What was the problem that SAML ended up being created there for solving? And why wasn't, whatever was available back in the day, not up to the task and something new had to be created?
Prateek Mishra: Yep. Good question, Vittorio. It really sort of goes to the heart. Heart of the matter and even still very important today. So now we are going back to the 00s, right? 2000-2001. So that's Web 1. Amazing, right? So there's all this amazing e- commerce going on. And tiny startups called Amazon doing cool things and all the companies have websites transactional, so on. So the first concept that comes around to single sign on, and there's several companies, I work for a company called Netegrity, which was actually an early pioneer in this space. Netegrity, Oblix, Entrust as Paul mentioned. And all of these companies are selling to enterprises and selling them single sign- on software. So once you log into company X, then you can use all of their services based on a single login. And this is an innovation. And to some extent it still is today. But the challenge then was how do you extend that login to other sites, to suppliers, to other vendors. Because once you've logged into a company and now you want to use a service, which is offered by third party, you would like to not be forced to log in again. And I remember sitting down with some of the managers at Netegrity and people had all these schemes," Well, you can give the partner a little piece of proprietary code so they can perhaps read some cookie we deposit in some complicated way." And it all seemed very fragile and difficult to manage. And some of us were sitting around and talking this through and this idea came that really the act of single sign on should be some kind of a formal object. There should be a representation for it. We already had PKI at that time, that was a representation of identity bound to a name just in the way we understand PKI. So we sat around and thought, once you log in, that's a kind of formal act. They should be a kind of object that captures that in a machine readable way. And then you can convey that to wherever you want to go. And so this idea was then propagated at that time and discussed in the community. And now I want to be a little polemical and give some thanks and knock some heads too, credits and demerits. So who were the people who supported this? And they were people like shibboleth and Internet 2, which is a public sector, publicly funded organization that understood the value of this other early supporters were companies like Sun, our colleague Eve Maler, who is luminary and well known person, still an Identity. And I want to mention two names from Internet 2. RL Bob Morgan, who is now sadly deceased from the University of Washington and Scott Canter of the Ohio State University. And these guys put together the first toolkits, the first concepts. Because the smaller companies that are trying to innovate need this sort of ecosystem, where these ideas can be tried out. And I'm not going to name any names, but some of the largest companies at that time in the 00s were very unhappy about this effort. And if you contact me privately, I will tell you all about what happened. But anyway, through the efforts of the community, this idea of an object that captures the meaning of an authentication in a formal way, which is the SAML assertion, and then the conveyance of that assertion from one party to another, through a well defined protocol, typically through a browser, as another set of protocol exchanges. And all of this goes on 2000, 2003 and the development of SAML 1.0 and 1. 1. And then it begins to get a certain buzz and a certain amount of mainstream acceptance. So that's a canned history of the early days of SAML with credits to some folks, which is, I think not always so well understood or appreciated.
Vittorio Bertocci: Thank you. Thank you for that perspective. It was really great. And by the way, just so we know we are going to talk before the end of the episode about WS- Federation. So some names will... I think more names will float out, but great. So thank you for describing the problem and hinting at some of the moving parts. Paul, I would love to double click on that. And for example, looking at the how. We understood the problem is cross domain single sign on. We heard about the fact that there is an assertion which formally represents successful occurrence of an authentication operation. But can you expand a bit on these? As in what are the moving parts? How did the protocol work? What roles were in there?
Paul Madsen: Sure. I guess I'll say first that by Prateek saying Web 1, he's completely dated himself. Secondly, hardly endorse his endorsement of RL Bob and Scott. They led the way in the early days. As the name suggests, Security Assertion Markup Language. This is what got me my job. It's a markup language by which assertions are made by one entity about some other. And as Prateek described, oftentimes that's in support of a single sign on experience where the assertion is logically, the first website saying," Hey, I just logged this guy in and I did it at Tuesday at 3: 43. And here you go. Here's a nice little packet of information that you can use to make your own decision about logging him in." But that's a very abstract concept. And as Prateek hinted at, you also need to define how you're going to convey that assertion across the web and single sign on is one use case that typically manifests as conveyance of that assertion kind of through browser redirects and maybe some back channel exchanges. But the proposition is that one website is sending this assertion digitally signed. So trust can be established to some other website. There are other so- called bindings of that somewhat abstract protocol. Liberty spent time defining how to communicate or convey assertions over API calls, web calls, the world of WS- Star and WS- Trust and so forth. So there were assertions, there were bindings of that somewhat abstract protocol to particular protocols, HTTP and comparable, and then also important were profiles. You want to leverage this somewhat generic abstract concept of assertions to achieve something particular and single sign on was the most notable profile. I'll say that I found that logical structure that SAML defined of bindings and profiles very intuitive. And I haven't seen it since. I've participated in other standards bodies since I still oftentimes reading a protocol spec and say," Okay, well, where are you going to define your bindings to whatever protocol you're using?" And I'll just say," I have to plug the SSI world of DLTs." We are just a new binding in some sense for assertions like any other identity protocol.
Vittorio Bertocci: So let's dig a bit more in there. Tell me about the relationship between things like service providers, identity providers, relying parties. You mentioned that Website 1 and Website 2, but is there anything more we can say about the formal roles that these various websites can play?
Paul Madsen: Like every standard SAML redefine terminology and said that the first website was an identity provider and the second website that was going to consume these assertions and essentially rely on the authentication performed by the first was the service provider. Other protocols have called those issuers and verifiers, but logically it's all the same. Every one entity verifies some identity facet about it, subject a user on a website, and then communicate, asserts, makes claims those identity aspects to somebody else.
Vittorio Bertocci: That makes complete sense. And SAML had a lot of firsts. For example, I think it was SAML that introduced the idea of Metadata describing identity providers, right?
Paul Madsen: So I won't claim that SAML was the first. My memory, my sense was that we realized there was a need to describe the quality of an authentication. As you say, the Metadata around how authentication was performed. Was it just password? Was it something stronger? How was the identity issued in the first place? What were the identity proofs? And that was the motivation for authentication context, which as the name suggests was additional information beyond the mere fact of authentication to the service provider or the relying party, the information that they might need to make a better informed decision about," Well, I know he is logged in, but is he logged in sufficiently for what I want to do with him?".
Vittorio Bertocci: Yeah. And it was where the famous claims that we hear talking about so often. I think that one of the things that I really liked back in the day was that you could package the information that the service provider needed to know. And you could just send them in these nice verifiable format and then you didn't have to call back home. That's potentially all you needed was there. And so it was a very nicely distributed model, as opposed to some of the models right before, if you remember CORBA in which you had permanent addresses and you needed to pierce firewalls, instead in here, you guys managed to invent something that it didn't have to pierce any firewall, right?
Paul Madsen: Well, again, but there were different bindings. Some of which pushed everything over the front channel. And some of which relied on essentially an API call back to the identity provider to retrieve the assertion itself, the so- called artifact binding.
Vittorio Bertocci: So you are now in decentraland, so you probably don't have to deal with SAML much. But as far as I can see, it looks like the main profile and bindings that survived and thrived to this day are mostly the front channel ones in which people use these for doing web single sign on and the APIs instead are handled by something else. Do you have a different experience?
Paul Madsen: No, I think that's fair. I expect that SAML manifests most often these days in employee single sign on into SaaS. So it's manifesting in the front channel. The proposition is some employee signs into their corporate account and then is able to be presented with a grid of SaaS applications that are appropriate and relevant to their role. And that might manifest in the mobile as well. But fundamentally, it's the same use case.
Vittorio Bertocci: Yep. It's definitely the same use case. And tied to this, I'm wondering if we can do another step back and make some clarity about who made SAML... There are so many different words that are floated around like Liberty Alliance, OASIS or there are many different entities and actors and it's not always clear what... Who did, what, when. So I'm wondering Joni, if you could step in and bring some clarity to those matters.
Joni Brennan: Sure. I'll give it a shot. Thanks, Vittorio. I mean, it's a great question. And especially for something that's been around for quite some time, maybe some of it can be taken for granted a bit. I think Prateek mentioned early on OASIS. The OASIS Standards Organization. SAML got its start in the Security Services Technical Committee, the SSTC really it's got at first start back in the early Ops 2001 is when that work began SSTC in the OASIS Organization. I think it was just about within a year later, really the first versions of SAML were published building on and bringing in influences from S2ML off XML. So building on those shoulders of giants, of course. So, yeah. So about a year of work into, with OASIS for SSTC for SAML 1.0, I think these types of standards, they don't exist in vacuums. And so we have multiple organizations kind of building on ideas and working with those ideas and extending them. And so while this work was happening within OASIS, another organization, the Liberty Alliance, which was a non- for- profit, nonprofit consortium of different companies and different government organizations and universities. This organization started and really worked to propose, make proposals on how to extend and how to build on to the SAML specification. And so you have the core work happening within OASIS, and then you have the Liberty Alliance. Well, if the core work of OASIS really was around enabling that SSO service provider, relying party relationship, some of the work that Liberty Alliance started to do was to extend that out and to look at how SAML was deployed in a context of a Federation, a Federation framework. And this really brought us to what Liberty published was the IDFF and this is the Identity Federation Framework. So we can think about, this is early looking at this network ecosystem, and we're still in this network ecosystem today. And definitely as we look at the DLT space and the blockchain space networks are at the forefront in terms of information sharing. So the core technical work of OASIS, and then that extended work of Liberty to put the SAML work in an extended ecosystem that started to define things like a circle of trust, how multiple organizations could multiply that SSO, the power of that SSO and how that SSO could happen in cross domain, cross industry ecosystem is really kind of work that Liberty Alliance kind of brought into that ecosystem to extend and expand the work that happened at OASIS to begin with.
Vittorio Bertocci: Great. So Joni, almost 20 years have passed. So I think it's fair game for me to say that the rumor back in the day was that the Liberty Alliance was founded because people were concerned about the growing influence of Microsoft in this space. Would you say that was the case or any comment that you feel you would you'd want to say? Again, we are talking about 20 years ago, so it's a completely different world. And so I'm sure that Microsoft is not the same Microsoft back in the day. So hopefully whatever we say in here will not rub anyone the wrong way. We are talking about ancient history.
Joni Brennan: What a fun question, Vittorio. Thank you. Thank you for this one. So I would say that it's fair to say that at least in my own perception, part of the value of working as a consortium to develop a standard is to ensure that there is as much as possible a level playing field that more than one organization can participate in that ecosystem and that we can measure their participation by the same ruler, by the same stick in terms of what they're providing. So you can imagine that on a topic as human interactive and connected as identity, there is even more of a concern around a singular organization being the... I'll make some air quotes. Being the owner of that particular capability. And so I think it's fair to say that within the identity standard space and within Liberty Alliance and with others, there's always been a push to try to ensure that there is a level playing field and not a single organization who is owning and monopolizing, not to say that anyone was but that risk is mitigated through the work of standards. Now that said in the standard space, everyone comes to the table with an agenda purposefully. So every organization has their piece and their competitive edge. They want to bring into that table, but definitely an identity at because of that human interaction. I think that it was it's palpable and fair to say that there was a desire to make sure that there wasn't a singular manipulative force.
Paul Madsen: The context that Joni didn't mention is that Microsoft had its passport solution, which was a single sign on solution. But as Joni hinted at, a single provider, the proposition from Microsoft's point of view is that everybody would necessarily be directed back to Microsoft for login. Same experience as that which SAML was trying to enable, but more centralized.
Joni Brennan: I think that... And the interesting part of the story is that if you stay around long enough, the heroes and the villains, if you will, switch their roles eventually. And so there were concerns around Passport and a singular solution domination, as we saw rise in OpenID Connect, I think there was also concern around the consortium of organizations that were moving identity forward in Liberty Alliance. And so round and round we go and we continue to build on the advancements of the group that came before us.
Paul Madsen: Joni, I contend that Liberty was doing what we were doing solely for the benefit of mankind. There were no financial...
Vittorio Bertocci: Great. And before we move away from the topic, I just want to take the opportunity to position WS- Federation, given that just like SAML, although, well, not at the same magnitude, but it's a protocol of it's still around. So can you guys frame these in the context of this history for me?
Paul Madsen: My sense at least was WS- Federation was important because Microsoft thought it was important. But my sense at least was no one else did, right? If you were a Microsoft Shop, your default was to use that which was free and easily provided through the Microsoft Stack. And that WS- Fed. But if you needed to engage with any other partner who wasn't a Microsoft Shop, then you were motivated to either replace WS- Fed with SAML or support SAML as well.
Vittorio Bertocci: And to the benefit of our audience, WS- Federation was a web single sing on- well, IS a web single sing on protocol. That was the default for a few years on Microsoft products. And to be fair. Now it's many years that Microsoft supports SAML across the board. So again, just wanted to double down and stress on the fact that we are talking about ancient history and that the situation today is dramatically different from what it was back in the day.
Paul Madsen: And I think Vittorio, just quickly, it highlights... There's been a number of different protocols by which you achieve this basic functionality, SAML WS- Fed, OIDC. They're all trying to do the same thing with different schemas and different assumptions about back channel, front channel. We keep reinventing things. That's okay that the latest generation argues there's value in a blockchain or a DLT underlying some of that. But we're all doing the same thing.
Vittorio Bertocci: Given my unfair position as a host, I choose not to comment on your last statement about who are actually the heirs of this. And actually I would go to today, let's say that we described what happened in the past, and we got a good framing of how SAML came to be. We know that today it's still in use because it had this incredible success in business, in government, in various verticals. So it's definitely still in use. However, who owns this specification today? And is there any new work happening on this? Joni, I'm looking at you for this.
Joni Brennan: Yeah. I think it's fair to say... Well, at least my understanding. SAML has had its last update around, I think his last version was published in 2003. No, let me correct myself, 2005. So we're going back a number of years here, we're going back to OASIS. So I would have to say if there was a kind historical owner at this point, it would be within the OASIS ecosystem. But that said, I think that it's also fair to say that SAML hadn't has a life of its own, in terms of different implementation profiles. The SAML 2 profile in the academic space as the SAML profile, different governments have different SAML profiles and SAML will still exist in use in implementation profiles at the enterprise level. So it does have a little bit of that distributed of life ongoing property to it. But that said, if you are looking for which committee, which listserv should you be going to get that single log out or that particular functionality that you're looking for. I don't think you're likely to see that. You're not likely to see too much more massive innovation in that space. It's been pretty stable for a while and does live on in those enterprise scenarios and some academic spaces and universities and the like.
Paul Madsen: Neither has the American railway gauge changed in 200 years. It was normalized. It's does its job. People use it.
Prateek Mishra: No question there. Jumping in, I also want to comment briefly on some of the challenges with SAML, which are also well known. So one of the challenges was of course, the use of XML digital signature and XML canonicalization, which was an older technology, a very complex technology. And of course, as a working engineer, it turned out to be not as interoperable as one would like. And one of the strengths of OIDC is by using a simpler representation, right? JWTs and JSON objects. And in fact, building out a whole family of simpler signature specs, right? Interoperability has been a lot stronger. So in that sense, there's almost a generational move. And that's an interesting aspect of SAML. XML gave it some bed rock foundations, but the signature challenges of interoperability of XML signature was always a challenge. And so we see the move forward with OIDC with JSON, JWTs and JSON signature models. So that's another piece of the puzzle there. Yeah.
Paul Madsen: It's also on OIDC. Vittorio, you know that the SSI community is trying to reconcile their world with the federated world. Right. So yeah, no one where would argue that SAML is the appropriate place to build Web 3 or Web 2. 5, whatever, whichever Web you want to build. SAML served its purpose. It's functional, but it's not where we're going to build the next.
Vittorio Bertocci: Wonderful. Thank you. And I love to agree with almost everything you just said. And Joni, I'd say that we are making this, our parting words, given that you guys are being so nice and available, but we are running short of time. So what do you think? What's your comment about the future of SAML and the industry?
Joni Brennan: I really like what Paul said. I think that in terms of... Once you have a tool and what that tool does, and you use that tool... Working in the standards world for quite a while now, I rarely have I seen a standard actually completely deprecated and go away. And once it's proven some utility, it tends to stay in that space and hang on until there's a really good reason for it not to. So SAML certainly was innovative at the time, solved problems, drove innovation was foundational for innovation around Federation and the world of where networks are going. I think that inspired and informed the next layers around OpenID Connect and where OpenID connect has gone. And I certainly think that in turn has inspired verifiable credentials and SSI. So I think that the idea that we will have a singular standard and a singular solution and a singular approach is just not consistent with the way of the world. So I think we'll see SAML around as it is for a while. And we'll see how the Web 2. 5, Web 3 and that space evolves and how we'll... The whole new set of issues that we'll have with the incoming family of standards in the identity spaces evolving.
Vittorio Bertocci: Wonderful. Thank you so much. And I want to thank all three of you, despite it being so many. I think that we managed with you somehow maintain some order and follow a nice narrative backbone. So thank you so much for your availability and for your insights. Maybe couple of years from now, we'll do these again and we can gauge where SAML is.
Joni Brennan: Thanks for cat herding us.
Paul Madsen: I don't want to be talking about this in a couple of years. Thank you, Vittorio.
Prateek Mishra: Great, great, great session, Vittorio.
Vittorio Bertocci: And thanks everyone for tuning in. Until next time. Thanks everyone for listening. Subscribe it to our podcast on your favorite app or @ identityunlocked. com, until next time. I'm Vittorio Bertocci. And this is Identity, Unlocked. Music for this podcast is composed and performed by Marcelo Woloski. Identity, Unlocked is powered by Auth0 in partnership with the OpenID Foundation and IDPro.
In this episode, Prateek, Paul, and Joni bring us back to a time in which single sign-on across domains on the web was a brand new problem. With the confidence (and the passion!) of the people who were there and made things happen, the guests take Vittorio and the listeners on a whirlwind tour touching on the technical and political challenges they had to overcome to bring SAML to life and make it the ubiquitous success it is today. From the basics of how the SAML protocol works to the entities and standard bodies that developed it, the discussion eventually reaches modern times and concludes on how in a world where old and new standards coexist, OpenID Connect picked up the innovation torch from SAML.