|Professional Services||Second Signal||Presentations||Andrew's Blog||Support|
Am I reading this right? Seriously?
Like many people, when I read that next release of the Domino Server and Client were going to support OAuth and SAML, I was pretty happy with that. I've been a bit late getting around to looking at the beta though -- after all, IBM has made it quite clear that my opinion isn't all that welcome any more -- and I'm just now reading the documentation on how IBM is going about this. I'll know more when I talk about this stuff next week at BLUG, by the way.
First SAML. I know a fair bit about SAML. I have 3 binders next to me with the spec printed out. Three full 1" ring binders printed double sided. It's not a simple specification. I've even written my own SAML 2.0 "SP" tools for Domino. That is to say, I have software that can participate as a service provider, logging end users in to the Domino server who authenticate with an off-site SAML identity provider server. Now, mine is not 100% complete yet. It doesn't support the entire protocol suite -- just the parts that my customers have needed so far.
When I read about the way IBM Domino supports SAML, I have to say -- it would not work in any of the three product customer sites where I know my code is running. Now, I could be wrong, as I haven't dug too deeply into it yet -- but reading the documentation, here's where the SAML implementation that I see so far falls apart.
1. It supports only "Microsoft Active Directory" and "Tivoli Federated Identity Manager". Well, so far I've seen 4 different SAML implementations and not a single one of them is using either of those products. The product that I'm seeing used out in the marketplace is almost overwhelmingly "Oracle Federated Identity" (which works with Oracle Identity Manager). Now, I see no reason why this wouldn't work, but it's not supported according to the documentation. I'll have to try it when I get time.
2. It doesn't seem to support authentication in cases where you are not using the ID Vault. -- None of the sites I've talked to are using the IDVault at this time.
3. It doesn't seem to support logging in someone who does not have a Notes ID and Person Document on the server. None of the sites I've worked with so far operate this way. The whole point to having someone else responsible for authentication is to avoid this.
SAML Conclusion: Looks like I should finish off my own SAML implementation for Domino, which will work with any server 7.03 or above and doesn't have those limitations. Then, I'll let IBM increase the mindshare about SAML and when customers find it doesn't do what they want and go searching for answers, they'll find mine. It's a win for me, I guess.
What about OAuth?
To me, IBM Notes and Domino supporting OAuth sounded like it meant I'd be able to drop an xpage control or something on to a web page and start letting people log into my web sites built with Domino by authenticating on Facebook, Twitter, and Google like so many other sites out there now do. NOPE. Apparently that's not what IBM meant at all. Again, assuming I'm reading this correctly, what IBM means by "Supporting OAuth" is that in the Client and in iNotes, you'll be able to use widgets in which the authentication method chosen by the provider of that widget happens to be OAuth (as I understand will be the case for some Connections stuff, and stuff custom developed for Connections). That's pretty minimal. Any web browser can do those things.
So far, I have to say that at least on that front I am not impressed at all.
Please wait while your document is saved.
Person Document on the server. None of the sites I've worked with so far
operate this way. The whole point to having someone else responsible for
authentication is to avoid this."
I had not read this and it makes no sense whatsoever, why use SAML if the SP
still has to manage credentials. Ridiculous!