Re: [saml-dev] SAML, trust and WS.

[william <oasis.saml@javafreelancer.net>]

> I'll leave as an exercise for the reader to ask about the 
> viability of "web services" if nobody can figure out how to do 
> stuff this basic with  all the specs out there. I think that's a 
> telling problem.
> 
> -- Scott

i agree. i think there _is_ a problem somewhere. going by my own 
experience, the developers on the saml 1.1 project i recently 
joined :

a) were overwhelmed by the complexity and richness of the specs 
(saml 1.1/ws-security/ws-federation). so they, therefore...

b) ...didn't take time to truly understand the specs; which led to 
them being...

c) ...confused by all the different specs that use saml (liberty 
vs ws-federation vs ws-security vs pure saml vs shibboleth vs...)

d) were up against tight deadlines and implemented whatever they 
could get working in the shortest period of time (and in the 
process threw a lot of the specs out the window).

e) were just plain misinformed

in the organization i work for, i am considered a freak because i 
actually read and refer to the specs! there is a dirth of good 
books on the subject for one thing. i was given a book (Securing 
Web Services with WS-Security - Rosenberg & Remy)  by the lead 
developer of my current project. it was supposed to help me get up 
to speed on saml. to be fair, that book does have some good 
nuggets of info. but the more i read it, the more confused i 
became. and when i refered to the specs to try to get some 
clarification, i discovered that book has loads of incorrect 
information!

i can only speak from my own experience, but i think there is a 
lot of confusion/misunderstanding/hype of what can and can't be 
done with saml and not enough best practice examples to guide 
implementations.

scott, your draft proves that if people read the specs thoroughly 
and really _grok_ what the specs prescribe then they might find 
that the answers to their problems were right there all the time.

will