Pat Patterson points out that the Liberty ID-WSF protocol is a nice fit for Federated Provisioning:
Now, in my Liberty-tinged version, when sending a new user to Omega, Acme includes a reference to their Employee Profile (EP) service – essentially the service’s endpoint URL – in the SAML assertion. This endpoint reference serves as both a description of where to find the service and permission for Omega (when sent as part of the signed SAML assertion) to invoke that service.
On receiving the assertion, Omega send a signed request to the EP service, the request containing the SAML assertion it just received. Now, the EP service knows that Omega is entitled to access that employee’s data, since it has a signed SAML assertion, issued by Acme itself, that says exactly that (via the presence of the EP endpoint reference). The EP can return exactly the data required (this will have been configured according to the underlying contract between Acme and Omega).
Now there is absolutely nothing wrong with this scenario. SAML in conjunction with ID-WSF is a very reasonable way for information about You (the person needing to be provisioned) to be conveyed to the service provider. For You, all the bases are covered.
But there is one big problem here. It’s not always about You.
Think about any enterprise application that You use. How much data concerns You and how much data concerns Somebody Else? I am talking about data such as contact lists, workflow approvers, roles, responsibilities, etc. How does all this data about Somebody Else get synchronized in a timely enough fashion to useful to You?
For instance if John is an approver in a workflow in a hosted application, and John is laid off, how does John get removed as a approver? How does Mary get added in his place? Do all the requests that John need to approve sit in limbo until an administrator manually makes the change? Sadly that’s how it usually handled now.
The SAML/ID-WSF solution is fine for many applications. It just isn’t sufficient for moving many of today’s enterprise applications to a SaaS model.