Federation is not about 1:1 relationships

Craig said in Vail (see http://prezi.com/pys_d3ysqbmb/api-economy-update) that federation does not scale in the API economy because it deploys a 1:1 relationship, and we need to move to a hybrid cloudy model. Then he jumps to the conclusion that SAML==Federation, hence SAML does not scale, and underlies this with an enterprise-type scenario.
Besides his unorthodox use of the term Federation this is ignoring a number of facts:

  • There are well-oiled implementations of SAML in federations across security domains. They prove SAML has no restriction re multi-centricity and multi-lateral trust relationships; Definitely SAML does not require a centralized model;
  • The technical protocol is in my view less important than its business context, like the ecosystem and the cost to set up a relationship;
  • XML and SOAP might be gossipy, but with API packaging and on-the-wire compression this is a minor issue. ASN.1 and X.509 have their ugly faces, too, and we are still bootstrapping most of our "real" security based on them.

Confederation would be a better term to describe identity federations, but that horse is out of the barn.
Nice pic: SAMLasaZombie