STORK’s SAML interface specification for the integration of IdPs and SPs deviates in several points[1] from current industry practice, which is reflected in the Kantara eGov profile. Some points can be explained by specific conditions of STORK’s core use case, the citizen to government authentication. For some other points the design decisions (which are not available to the public) are not clear and could be attributed to a lack of time and/or lack of attention on interoperability with existing SAML practice and paraphernalia[2]. It was also noted at both OASIS SSTC and Kantara eGov WG that STORK did not use it liaisons for cooperation and alignment.
STORK 2 started in April 2012. It does not seem to address the improvement of interoperability with industry standards nor to facilitate the standardization with an SDO[3]. STORK 2 puts emphasis on expanding use cases from G2C to G2B and B2C types.
Interoperability between both protocols is highly desirable. A rich ecosystem of products, libraries, supporting tools and extensions exists that STORK deployments could tap into if technical interoperability would be improved. On the other hand, existing federations based on mature enterprise or open source products could benefit from STORK, as it proposes a government-backed and low-cost solution with high-assurance credentials.
Footnotes:
- A summary of differences is available at the Kantara eGov Working Group wiki
- It might be attributed to the fact that STORK was driven more by legal than technical challenges.
- SDO: Standards Development Organization like ISO, CEN, OASIS, ETSI and others.