Why has OpenID grabbed so much popularity while SAML, a much more mature, academically respected, ‘robust’ specification has been largely ignored by the cutting edge web 2.0 community?
I’ll encourage you to read his post for his insightful answer.
His question reminded me of another answer to the same question that I gave during the recent Concordia meeting at DIDW: OpenID solves the “Home Realm Discovery” problem that all Federation protocols face; that is, figuring out where the person’s authentication information should come from.
There’s lots of ways this problem can be solved, many of which involve potential identity providers being pre-configured by system administrators as possible choices for specific services. Some systems have even dictated the use of a particular identity provider. OpenID’s solution to this is elegant in its simplicity: Let the user decide. When I type in an OpenID URL such as https://mbj.signon.com/ I’m telling the relying party where my identity provider for this interaction is — thus solving the “Home Realm Discovery” problem. As elegant as this is, of course, the potential downside of this solution is that it assumes that people will remember their OpenID identifiers and will faithfully type them in when a page prompts them for an OpenID.
OpenID 2.0 actually allows i-names such as =mbj or =Mike.Jones to be used as OpenIDs as well. I-names then use their own lookup protocol to discover the identity provider behind the i-name typed. This is arguably better (and is the kind of OpenID I personally use), but still relies on the user to reliably enter their OpenID identifier when prompted.
In this discussion at Concordia, others pointed out that using an Identity Selector (such as DigitalMe or CardSpace) is another means of solving the problem. Like OpenID, it also lets the user decide, but in this case, by clicking on a visual Information Card, rather than typing in a string. I personally believe that this will be an easier metaphor for many people to use once it’s commonly available than typing in an OpenID identifier.
I’ll also point out that it’s not a one-or-the-other choice between OpenIDs and Information Cards when letting the user decide. As was recently demonstrated, OpenID Information Cards can be used to deliver the OpenID identifier to the OpenID relying party, rather than having the user type it.
In conclusion, while it may seem esoteric, solving the “Home Realm Discovery” problem is essential to working digital identity deployments. And the usability of the solution chosen matters a lot. Using Andy’s terminology, I believe that its solution to this problem both accounts for some of “the juju that OpenID has” and may result in usability problems for less technical audiences that will need to be addressed if it’s to break out beyond just us geeks.