Home > iam > SAML vs LDAP to the death?

SAML vs LDAP to the death?

…with tag team partners STS for SAML and the VDS (Virtual Directory Server) for LDAP?

So I’ve taken Jackson‘s advice and have been reading Microsoft’s “Guide to Claims-Based Identity and Access Control”. While most of it has been things I’ve heard before, the formulation of the ideas the way Microsoft wants to present them to their favorite audience, developers, is very interesting.

The thing that caught my eye and inspired a whole lot of conversation, lightbulbs for me and this post was a quote very early on:

“ADFS has a rule engine that makes it easy to extract LDAP attributes from the user’s record in Active Directory and its cousin, Lightweight Directory Services. ADFS also allows you to add rules that include arbitrary SQL statements so that you can extract user data out of your own custom SQL database. You can extend ADFS to add other stores. This is useful because, in many companies, a user’s identity is often fragmented. ADFS hides this fragmentation. Your claims-based applications won’t break if you decide to move data around between stores.” (from page 6)

Described like this, the STS sounds a heck of a lot like a VDS. So I asked many of the Quest big brains what they thought of the quote and what the quote made me think. I was quickly told that this was silly since the models for an STS and VDS are so different. Some of their points were:

  • STS is a push model where users show up at the applications with claims ready and VDS is a pull model where the application needs to go get the information
  • The VDS approach is about applications using data from multiple sources without modifying the application while the ADFS + WIF approach is about teaching the application to consume claims natively by modifying it
  • The STS and SAML approaches wraps the claims, the identity data, into the authentication operation while the VDS approach simply exposes a service for the application to use through the applications operations.

Somewhere in the midst of this discussion, a big gear clicked into place. I saw something I bet many, many have seen before – but it was new to me. Microsoft and Oracle were really going head to head in identity for applications. Yes, I know it’s hard to believe that Microsoft and Oracle would compete. But that does seem to be what’s happening. You see, the VDS had always been in this spot on my mental whiteboard between the applications and the multiple sources of identity data as an abstraction layer. The STS was somewhere on that mental whiteboard, but it wasn’t there. Now I’d been clearly shown that it could be moved in front of the VDS, or even be moved to replace the VDS. Of course, much depends on the use cases. The STS can’t really do everything the VDS does and vice versa. But I think it’s fair to say that Oracle is betting on people like me who see with an application architect’s eye and try to make the current generation of revenue generating applications do their work better and faster. Microsoft is betting on it’s excellent developer community and credibility to propel the next generation of all applications into a claims based, STS dependent world.

That battle would seem to pit SAML and LDAP against each other, each with one of the largest tech giants in it’s corner. In reality, I doubt it will be anything so dramatic. But before this conversation, I didn’t even see the potential for that battle. It’s amazing how many latent hostilities to some approaches seem clear to me now. I don’t even think some of the people who were hostile realized why. But there are deep mechanisms at work in the respective communities involved that are forming opinions that will likely solidify into “Linux vs Windows Server” style opinion wars soon enough. Here I thought all this good will about interoperability in identity could last forever. Silly me.

  1. Kyle Robinson
    April 8, 2010 at 3:04 pm

    “Described like this, the STS sounds a heck of a lot like a VDS.”
    I think this is backwards. Basically the VDS traditionally only had a LDAP head, but now you can put on a token issuer head making it a fairly robust STS. The backend of the ADFS STS that is looking at both AD and ADLDS could probably be considered a very simple VDS.

  2. April 8, 2010 at 3:15 pm

    I think it could go both ways (to coin a phrase). I agree that the STS backend starts to look like a VDS. I may not agree it’s so “simple”. It seems like ADFS is putting a fair bit of capability in there. I doubt it could replace a full featured VDS products right now, but since they likely know who their competitors are they may be thinking about that. Of course, they do a lot of their thinking out loud on various Microsoft blog outlets and I have not seen that stated. It’s a wait and see thing.

  3. oc007us
    March 27, 2013 at 8:51 pm

    I see it more like Active Directory vs. VDS and STS vs. SAML. Although they mostly seem complementary. Identity management services need a directory like AD or LDAP and federation requires a protocol like WS-FED (STS) or SAML. These technologies can be combined with gateways (http://www.assurebridge.com/our-products/unified-authentication-gateway/) that allow a user, for example, to login to one web site via LDAP or AD and then single sign-in to another web site via STS or SAML.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: