© 2008 by Parity; made available under the EPL v1.0 Identity Management Authorization and User Profiles: Higgins1.0 and Beyond Paul Trevithick, [email protected]

© 2008 by Parity; made available under the EPL v1.0

Identity Management Authorization and User Profiles: Higgins1.0 and Beyond

Paul Trevithick, [email protected]

Mary Ruddy, [email protected]

Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0

Outline

• What is Higgins?– 20 minute introduction• Demo of a Higgins Identity Selector Solution – 10 min• Higgins Global Graph Drill Down – 60 min• Higgins community – 5 min• Higgins adoption – 5 min• Higgins 1.0 – 10 min• Higgins Futures – 10 min


The web of today isn’t people-centered


It’s silo-centered

• People go from site to site setting up accounts and pouring in stuff about themselves

• Everything the site learns is from people’s fingers – clicks of the keyboard or mouse

• Its tedious for the user – she’s constantly repeating herself, typing in forms

Type type type, click, click, click. Clickety-clack, clickety-clack.


The vision of user-centric Identity Management


User-centric Identity Management

• What if you could register at a site without typing data into forms and having to remember passwords?

“Identity Selector”


User-centric Identity Management

• What if you could register at a site without typing data into forms and having to remember passwords?

• And what if you could manage all of your identities as a set of visual “information cards” in one place

Identity Selector


Higgins

Higgins1: a species of Tasmanian long-tailed mouse

2: an open source identity selector and interoperability framework being developed by

IBM, Novell, Oracle, CA, Google, Parity…


Goals: 1 of 5

• Provide a consistent user experience based on card icons for the management and release of identity data

• This is needed in order to have a trusted mechanism for authentication and other interactions that is less vulnerable to phishing and other attacks and that works for a wide variety of users and systems

• See Higgins 1.0 “Identity Selector”


Goals: 2 of 5

• Empower users with more convenience and control over personal information distributed across external information silos.

• Provide a single point of control over multiple identities, preferences and relationships

• See Higgins 1.0 “Identity Selector”


Goals: 3 of 5

• Provide an API and data model for the virtual integration and federation of identity and security information from a wide variety of sources

• See Higgins 1.0 “Identity Attribute Service”


Goals: 4 of 5

• Provide plug-in adapters to enable existing data sources including directories, communications systems, collaboration systems and databases each using differing protocols and schemas to be integrated into the framework

• See Higgins 1.0 “Identity Attribute Service” “Context Provider” plugins


Goals: 5 of 5

• Provide a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundaries

• It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles

• See Higgins 1.0 “Higgins Global Graph” data model


The Three Layers of Solutions


“Identity Selector” App Solution


Information Card (aka I-Card) User Metaphor

Managed

Personal (self-issued)


I-Cards are managed by an Identity Selector application


Click on a card

Identity Selector User Interface(Higgins is interoperable with Microsoft CardSpace™shown here)


…just click and you’re registered and/or signed in!

(No more “per site” passwords)


The Identity Selector apps are powered by an interoperability framework


Interoperability Framework

Higgins FrameworkHiggins Framework

Higgins Browser Extension

Higgins Browser Extension AppsApps Identity

ProvidersIdentity

ProvidersApps and ServicesApps and Services

CardSpaceCardSpaceProtocol Providers implement protocols for interacting with Relying Parties

Protocol Providers implement protocols for interacting with Relying Parties

OpenIDOpenID

CardSpace Managed (WS-Trust)

CardSpace Managed (WS-Trust)

RSS/AtomRSS/Atom

I-Card Providers implement identity protocols and card types

I-Card Providers implement identity protocols and card types

CardSpace PersonalCardSpace Personal

SAMLSAML X509X509

Higgins Relationship

Higgins Relationship

KerberosKerberos

JNDI / LDAPJNDI / LDAP

Enterprise Apps

Enterprise Apps

Token Providers implement different kinds of security tokens

Token Providers implement different kinds of security tokens

IdAS Context Providers connect to different identity data sources

IdAS Context Providers connect to different identity data sources

SAMLSAML

UN/PSUN/PS IdemixIdemix

RDF OWLRDF OWL

Active Directory

Active Directory

Comms ClientsComms Clients

Relying PartiesRelying Parties

Plug-insPlug-ins

Common data modelCommon data model


Identity Selector Solutions

• Firefox-embedded Selector Solution For Firefox on Windows, Linux, and OSX (Requires hosted I-

Card Service Component)

• GTK / Cocoa Selector Solution – C++ For Firefox on Linux, FreeBSD and OSX

• RCP Selector Solution For Eclipse RCP Application




Identity Web Services Solutions

Identity Providers (IdPs)• STS IdP

WS-Trust Identity Provider (webapp and web service)

• SAML2 IdPSAML2 Identity Provider (webapp and web service)

Relying Parity (RP) Example Website• Extensible Protocol RP Website

I-Card enabled Relying Party site (webapp)




Higgins Global Graph

• Provides a foundation for achieving data portability, interoperability and unification for identity, profile, preference and social relationship data about people, things or concepts

• Identity information related to identification, authentication, etc. • It also includes attributes such as preferences, interests, and

associated objects like events and things, wishlists. • It includes relational attributes representing friends and other

kinds of associations with other people, organizations, etc. • An important kind of relation, called a correlation, models a link

between different representations of the same person in different contexts (systems)


Higgins Global Graph Implementation

• Identity Attribute Service + Context Providers (plugins) • Implements the Higgins Global Graph• Can be extended using Context Providers that connect

the IdAS to various systems or data stores.


Higgins Identity Selector Demonstration


Higgins Global Graph Data Model


Requirements for Interoperability

• Three things are required to achieve identity and social data interoperability:

1. A common data model (including a common schema description language)

2. An API and/or service abstraction3. Schema mapping transforms or a common schema

• #1 is addressed by the Higgins Global Graph model• #2 can be addressed using the Higgins Identity Attribute Service

(aka IdAS)• #3 is considered out of scope


Contexts and ContextId Data Range URIs

• A Context is a data container/source• Each Context is identified by a URI

Specifically, a ContextId Data Range URI

• Examples of Contexts: Facebook social network LDAP directory PeopleSoft database Mobile phone network

A Context


Contexts contain Nodes• Nodes are representations of entities (e.g. real

world people, groups, organizations, objects, etc.)

• Each Node is identified by a URI Specifically, a NodeId Data Range URI

R&D Dept.A Node representing your manager

A Node representing you

Context


Nodes have zero or more Attributes• Each attribute has an attribute type (URI)• Each attribute one or more values• These values may be simple (e.g. a string) or complex (e.g. a

postal address, 3D avatar mesh, calendar event, etc.)

Node

Each attribute has one or more values

Attributes of a Node

Bob activities: plays-golf-every

Value = “Wednesday”

Value = “Saturday”

Abstract Concept

Example


Attribute values and Data Ranges

• All simple attribute values have a base datatype that is one of the XML Schema types (e.g. string, integer, boolean, anyURI, etc.)

• They may also have syntax constraint facets (e.g. length, pattern, minInclusive) as defined by XML Schema

• Two Data Ranges are pre-defined: NodeId Data Range – a URI that identifies a Node ContextId Data Range – URI that identifies a Context


Attribute Statements

An Attribute Statement

• An instance of a node-attribute-value triple is called an attribute Statement

• Statements may have attributes

Abstract Concept

Example

Attributes about the Statement

blue

eye-color

Bob

asserted-by

Massachusetts Department of Motor Vehiclesvalid-until Aug 17th 2010


The NodeId Attribute• Almost all Nodes have a special NodeId attribute

whose value is a NodeId Data Range that uniquely identifies the Node within its containing Context

Node NodeId attribute

The value of the NodeId attribute identifies the Node itself


The Node Relation Attribute• A Node Relation attribute creates a link between

two Nodes

Node

The value of a Node Relation attribute is a URI that uniquely identifies some other node

Node Relation attribute

Abstract Concept

Bob foaf:knows

Value: AliceExample Alice


The Node Correlation Attribute• A Node Correlation attribute creates a link

between two Nodes and implies that both nodes are representations of the same underlying Entity (e.g. person or thing)

Node

The value of a Node Correlation attribute is a URI that uniquely identifies another node representing the same Entity

Node Corelation attribute

Abstract Concept

Bob higgins:correlation

Value: “Robert Smith”Example Robert Smith


A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)

Simplified Rendering of Relations

Bob correlation Value: “Alice” Alice

Bob Alice

Dotted line implies relation



Simplified Rendering of Correlations

Bob correlation Value: “Robert Smith” Robert Smith

Bob Robert Smith

Solid line implies correlation


Relation and Correlation examples

Context A Yahoo*group-22

Node Relation

In this example you have two accounts/profiles in Context A and you are also member of the Yahoo Group. You know another member of the Yahoo Group.

333 4668

@yahoo*group22 // 4668

@yahoo*group22 // 333

Identifies the Context

Identifies Node 4668

within it

NodeId Data Range (URI)

Node Correlations



Friends List example

e.g. Facebook

The Attribute Statement: “You know Drummond”

Drummond



Social Network example

Facebook

Reciprocated (confirmed) link



A Cross-Context example

Facebook Second LifeDept of Motor

VehiclesSocial Security Administration

Other Nodes

You

You

“Meta” Context

You



Contexts Relations and Correlations

• Contexts can have both Context Relations and Context Correlations that are analogs to Node Relations and Node Correlations respectively

• A Context Relation is a “related” Context• A Context Correlation is another Context that is a

representation of the same underlying set of Entities (e.g. the same underlying organizational department)


Enterprise Directory example

Enterprise directory Context with two sub-Contexts

You

R&D Dept.

XYZ Corporation

Marketing Dept.

Contexts can have relationships with other Contexts. These are called Context Relations.

Your Manager


Higgins Global Graph Specifications


Key:

Higgins Ontology Language (HOWL)

Ontology (Schema)

RDFS / OWL

Higgins XRDS

Service Endpoints

Identifiers

Cool URIs

OpenID

XDI

Higgins Context

Descriptors

WS-Addressing

[Planned]

XRI

Discovery

XRI

v10

W3C OASIS De facto

Higgins Global Graph:Implementation Specifications

Higgins Identifiers


Context Ontologies

• Contexts describe their ontologies using RDF/OWL• Contexts base their ontologies on higgins.owl (aka

HOWL)• Contexts are otherwise free to define their own data

schemas/ontologies• For example, a Context could define a Person, that

has eyeColor and phoneNumber attributes: Person would sub-class higgins:Node eyeColor would specialize higgins:attribute


Higgins Community Includes


Higgins Adoption – Open Source Communities

• This section lists open source solutions developed external to the Higgins project, but based on Higgins Components

• Novell Bandit “DigitalMe” Identity Selector• Novell Bandit STS/IdP

Higgins-based STS/IdP service

• Eclipse ALF Project • Other Eclipse projects (Aperi and Cosmos) are

considering using Higgins


Higgins Adoption – Commercial

• Serena• Novell• IBM• Oracle• CA• Sxip


Higgins 1.0 – Packaged as 7 Solutions

• 3 Identity Selector Application• 2 Identity Provider Web Services• 1 Relying Party Web Service• 1 Identity Interoperability Framework (Identity Attribute

Service)

• Opportunity to answer questions about Higgins

Documents

© 2008 by Parity; made available under the EPL v1.0 Identity Management Authorization and User Profiles: Higgins1.0 and Beyond Paul Trevithick, [email protected]