Craig Burton: SAML is dead


Craig (@craigburton) said at the Cloud Identity Summit (#CIS2012) that SAML is dead. He argues:

  • SAML is the Windows XP of Identity. OAuth is Android, OpenID Connect IOS and Shibboleth Linux
  • No funding. No innovation. People still use it. But it has no future
  • SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.

The ensuing twitter storm gave a topic for the following analyst panel session:

Sally Hudson (IDC):

SAML will be augmented and extended. From a quantitative perspective SAML’s life expectancy can be comparted with age-old mainframe authentication sytems: they still made 200m $ in 2011. However, there will be newer, more adapted technologies.

It will also be interesting to see how a competition between SAML and OIDC evolves. The story between SAML and WS-* stalled the federation market for a considerable time.

Steve Coplan, 451 Research:

SOAP will not stay forever, rather be replaced by REST. SAML might not support all use cases, but will have a place to stay. It might not accommodate new architectures coming up the next 3-4 years, like the mobile/app space.


Kantara’s Global Trust Framework Survey shows that 75% of all federations in production use SAML WebSSO. (In my talk tomorrow in Track C)


My 2 cents: SAML is mature. SAML is functional and scalable for bread and butter business applications. To do large projects in 2012 and 2013 it is still the safe bet.