I spent the weekend in the North-East of England visiting family and friends, so I didn’t spend as much time as usual with Google Reader keeping up with events in the IT (and broader) world. As I did a mammoth catch up session on the way home I came across two things that I think were necessary, inevitable, took too long to happen, but I’m glad that we got there in the end:

1. Finally an open XACML API – I said some time ago (in this blog post, and during Q&A following my presentation at Catalyst Europe) that XACML was like LDIF for entitlements, without an LDAP – an interchange format without an interface. It’s great to see that some of the major players have finally got around to tackling this one. Hopefully this is the first step towards entitlements being factored out of every application (and service) that we use.

2. Google Apps + OpenID = identity hub for SaaS – it would be easy to dismiss this as yet another announcement of an OpenID identity provider (IDP), which the world is already awash with. I think this one is different however for a number of reasons:

• Google Apps is becoming the place that everybody signs into. In the old enterprise world everybody signed into AD so that they could access email (via Outlook and Exchange). The in new SaaS world everybody signs into Google Apps so that they can access email via Gmail. There are some huge directory management challenges lurking here, but that’s a post for another day.
• There seems to be some commitment by others to become relying parties (RPs) for Google Apps OpenIDs – thus dealing with the asymmetry that’s plagued many of these things so far – everybody wants to be an IDP and nobody wants to be an RP.
• The discovery protocol moves the game along by providing a means for an RP to determine whether my domain is able to serve up a Google Apps OpenID. Hopefully this will be generalised (and standardised) later in order to remove the Google dependency.

Having had two wishes granted here’s my third…

Google (or a third party working with Google) – please give me a means to provide strong(er) authentication. I will pay for the tokens, but I don’t want to have to build a directory, RADIUS server and enterprise like federation capability just so that I can play. Give me a means to sign in that’s better than just passwords (and some choice over whether that’s an OTP, smartcard, biometric, out of band message or whatever) and a means to let third party RPs know that I signed in strongly, and the SaaS world will take a huge step forward. A repeat of ‘Twittergate‘ can be avoided.