SAML 2.0, a protocol for federated single sign on, needs to lighten up for the Web 2.0 world of agile development,...
says Pat Patterson, federation architect at Sun Microsystems Inc. And that's where Sun's Project Lightbulb comes in.
The goal of project Lightbulb, which is part of Open Single Sign-On (Open SSO) is to provide a lightweight means of federating identities, so users can sign in with a single authentication key and move seamlessly between all sorts of mashed up and recombined Web services projects, Patterson explained in a Webcast today sponsored by Liberty Alliance.
The concept is to have URL-based identity where the user is able to participate in blogs and wikis and other Web 2.0 collaborative applications without a pre-existing relationship with the application, he explained.
"The Web is very different now than it was five years ago," Patterson said "I'm focused on participation on the developer side to put a presence on the Web very quickly."
OpenSSO is designed to provide a way to create an federated identity via SAML 2.0 with very little coding. This would solve the problem developers of Web 2.0 applications have with the heavyweight nature of SAML 2.0 implementation, Patterson said.
"Web 2.0 developers say SAML 2.0 would be useful because it's widely implemented, secure and industrial strength," he continued. "On the downside people saw it as complex. XML signature seemed like a barrier to getting SAML. These were people using lightweight languages like PHP, Perl, Python and Ruby."
Noting that many modern Web services seem to have settled on Linux with a lightweight language such as PHP and Ruby, the Lightbulb project (originally a pun because it was to fit into the LAMP stack) is intended to provide the security of SAML 2.0 implemented through a scripting language, Patterson said. This avoids the problem of having to maintain a repository of passwords and authentication data on a server for a simple developer blog, he said..
"Maintaining passwords in a repository was becoming siloed," he told the audience for the Webcast. "People wanted to get to a federated identity management system where the user can authenticate with a third party and access a variety of sites with one password. Effectively the PHP site forgets about passwords and uses authentication."This is where OpenSSO comes in. At first, Patterson tried using the Sun Federation Manager with an open source Java bridge so the PHP application could participate in a SAML 2.0, but he found it still imposed overhead.
"For a single PHP site it was overkill," he explained.
The next step was to build SAML 2.0 token support in scripts in the Web server. This proved to be "a great solution if you've got one or two PHP sites," Patterson said. However with larger applications running on more than five servers it requires a separate server running OpenSSO, he said.
Programming in Microsoft Notepad, Patterson demonstrated how SAML authentication can be coded into a Web site to provide for single sign on and single log out with very simple lines of PHP code.
This allows the user to log in via an authentication provider and then access blogs and other developer collaboration sites securely without having to type in user names and passwords repeatedly.
Currently the Lightbulb project is only available for PHP, but Patterson said implementations with Ruby and other scripting languages are in the pipeline. He called for developers to join the project and extend it. He said Lightbulb is already attracting participation from developers in the U.S., Europe and even China.
Source code is available on the OpenSSO Website..