I would like to draw everyone’s attention to a Dave Kearns Newsletter of June 21st, which in turn points to a very relevant Oracle blog which is worth reading.
The conclusions drawn in a set of four separate blogs on this subject do coincide with my own as recently presented to the CloudSecurity Alliance in Barcelona, with perhaps the difference that oracle’s Nishant Kaushik really doesn’t offer a solution, which is not surprising, because Oracle is not likely to ever become an Identity Service Provider like Verizon. His ‘Just in time provisioning’ ideas and reservations about SPML and SAML in this space are spot on though It is also surprising that he doesn’t really mention Information Cards. Maybe because Oracle Software doesn’t support them yet? An Information Card with all the right claims up front for the cloud provider to create an account ‘on the fly’ seems a much better idea than a SAML attribute query or OpenID Attribute Exchange, which requires the federation service to request additional attributes from the OpenID Provider during the authentication flow and pretty much out of user control.