Too late for federated identity?

Sun has released its Single Sign On technology under the CDDL, giving it the name Open Source Single Sign On (Open SSO), with a roadmap that would make it a federated identity solution across multiple sites.

The code is based on its Java System Access Manager.

The question I have is, could this be too little, too late for federated identity? (If you don't recognize whose papers these were, this Russian site will give you a hint.)

The idea of having a single sign-on for multiple sites has been kicking around for over a decade. It was one of the first concepts I heard, once people started talking about requiring registration.

But it hasn't happened.

Not that it hasn't been tried. Remember Microsoft Passport? It's now called Windows Live ID. Lots of Microsoft sites use it. No one else does. Or what about the Liberty Alliance?  They are still around. Sun was one of the original sponsors. Have you used that lately? I haven't. How about Ping Identity?

The trouble has nothing to do with code, and everything to do with human nature. The idea that “if you require signs-ons for every site people will use fewer sites” is comforting to many site managers, especially publishers, who see in it a hope to capture and retain their audience.

What happens in practice is that people either keep a list of all their separate sign-ons, use a throwaway ID like Bugmenot, or create a single sign-on which, with a few variations, they use everywhere. This is terrible security. But it seems acceptable to the sites.

The fact that this code is under the CDDL doesn't give me a warm feeling, either. I think a key to getting some form of federated identity going would be to put it under the Apache project, which runs so many commercial Web servers, and (not being a lawyer) I don't know if the CDDL is really compatible with the Apache license.

Discuss.