Gerald Beuchelt ridicules my post on SOA security in his reply, Where is the problem? In particular, Gerald takes aim at my statement that SAML, and other SOA security standards, are immature, stating that SAML has been around since 2001.
I agree with Gerald that, if you measure maturity by time (as he does in his reply), then SAML could be considered “mature”.
On other other hand, I am measuring “maturity” by actual usage, and the proof of security solutions is in the actual adoption, not simply years of standards activity and vendor marketing.
For example, here is a WS-Security related quote from Michael Meehan, SOA standards searched for maturity in 2005:
“You can find WS-Security in all SOA products, but almost no one’s using it,” said Burton Group Inc. vice president and research director Anne Thomas Manes. “It’s amazing how few people are using it.”
The same is true for SAML and other security standards for SOA. Yes, there has been a lot of activity for a number of years, and vendors include the products in their sales portfolio, but very few people actual use it to build secure applications.
I measure IT maturity by actual usage. For example, HTTP, SSL, SNMP, IPSEC are “mature” in my opinion, they are used worldwide. SAML, and most of the other SOA-related security standards, are not.