Thursday, September 27, 2007

Adopting Evolution

In my bitchier moments I have been heard to say… “OpenID; brought to you by people who didn’t want to read the SAML spec”. I truly believe that the process of enhancing OpenID from supporting its original use cases to supporting a wide range of internet scale activities of varying values will eventually see OpenID evolve to be a fully compliant SAML definable profile.

So I have been asking myself; why has OpenID grabbed so much popularity while SAML, a much more mature, academically respected, ‘robust’ specification has been largely ignored by the cutting edge web 2.0 community…. an image came to me that I think might be profound, at least for me, and this blog seems like as good a place as any for me to try to get it out of my head.

I'm imaging a perfectly planned city… you bring together the best minds in social and urban planning and have them design and build the perfect city. Then you ask people to move to it… it’s big and empty and impersonal, its very perfection is off putting and intimidating. Meanwhile, just down the street there is a collection of mud huts with lots of people milling about, drinking beer and having fun. People are flocking to the village and it’s growing rapidly. The urban planners that built the city say; but don’t you see, you will need all the infrastructure that we have built in order to continue to thrive as a community, you’ll need police, medical and fire services, you’ll need schools and water pumping stations. But still people flock to the village to be part of growing something new and exciting. The villagers say; if we need police, someone will step up and become a police man, if there’s a fire we’ll get together and put it out. The inevitable outcome of the growth of the village seems to be a less well planned version of the planned city. It will, by inevitability, have many of the same features, some less well executed and some surprisingly better than the planned city.

To me, and maybe it’s just me, I know I would much rather be part of the village than move into the city. I might not want to re-invent the wheel but internet identity is a large complex and subtle system, like a city, it isn’t a wheel. Internet identity is going to have very organic qualities… I’m wondering if the growth, the evolution of the organic system isn’t the magic source that will actually humanize internet identity… I think it might be necessary that we start with simple organisms that can evolve, branch and each branch succeed or fail based on their efficacy in their ever changing environment. If two teams of engineers looked out over an early version earths eco-system and one designed ‘the perfect organism’ and the other designed an ameba capable of rapid reproduction and innovation which would you bet on for long time survival?

I’m not saying that the SAML community isn’t also receptive, open, innovating and evolving, they are. I repeat my original statement that I do think that SAML is more mature and ‘robust’ than OpenID… I’m simply trying to understand the juju that OpenID has (at least in my opinion).


Eric Norman said...

Interesting thought, although I suspect evolution will go somewhere that neihter OpenID nor SAML have anticipated.

Nevertheless, I still think your bitchier moment comment is closer to the truth. It's a case of "Not Invented Here" with a layer of chauvinism on top.

Pat Patterson said...

In my bitchier moments I have been heard to say… “OpenID; brought to you by people who couldn't be bothered to read the SAML spec”.

Unknown said...

depend on how you would use the technology

SAML is more applicable to a group of users that belong (read work) for a large, processes oriented body such as companies

OpenID is more applicable to typical John/Jane Doe which do not under "control" of any large, processes oriented body.


Unknown said...

here is the "old school" vs "new school" though come in

in layman term, i would think like this

SAML is more applicable to those users that are under "control" of a processes oriented body such as a company that they are working for. They don't have the ability to chose who is their Identity Provider.

OpenID is more applicable to those users that are not under "control" of a processes oriented body such as a company that they are working for. They have the ability to chose who is their Identity Provider.


Anonymous said...

In my bitchiest moment, I have been known to say, "OpenID, brought to you by people who will say 'Well, if I was to read the SAML specs, I'm sure I'd discover that it wouldn't support our use case.' "

Victor Grey said...

Great post! Clay Shirky had a very similar thought more than 10 years ago:


Anonymous said...

The reason is perhaps quite simple.

I've heard of OpenID for a few years now, and see it here and there quite often.

It's the first time I heard of SAML, ie., half an hour ago. (and I've been with the Internet since the Arpanet days on a daily basis, since 1986.)

Simply put, just marketing failure, imho.