View
213
Download
0
Tags:
Embed Size (px)
Citation preview
© 2008 by Parity; made available under the EPL v1.0
Identity Management Authorization and User Profiles: Higgins1.0 and Beyond
Paul Trevithick, [email protected]
Mary Ruddy, [email protected]
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Outline
• What is Higgins?– 20 minute introduction• Demo of a Higgins Identity Selector Solution – 10 min• Higgins Global Graph Drill Down – 60 min• Higgins community – 5 min• Higgins adoption – 5 min• Higgins 1.0 – 10 min• Higgins Futures – 10 min
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The web of today isn’t people-centered
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
It’s silo-centered
• People go from site to site setting up accounts and pouring in stuff about themselves
• Everything the site learns is from people’s fingers – clicks of the keyboard or mouse
• Its tedious for the user – she’s constantly repeating herself, typing in forms
Type type type, click, click, click. Clickety-clack, clickety-clack.
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The vision of user-centric Identity Management
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
User-centric Identity Management
• What if you could register at a site without typing data into forms and having to remember passwords?
“Identity Selector”
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
User-centric Identity Management
• What if you could register at a site without typing data into forms and having to remember passwords?
• And what if you could manage all of your identities as a set of visual “information cards” in one place
Identity Selector
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins
Higgins1: a species of Tasmanian long-tailed mouse
2: an open source identity selector and interoperability framework being developed by
IBM, Novell, Oracle, CA, Google, Parity…
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Goals: 1 of 5
• Provide a consistent user experience based on card icons for the management and release of identity data
• This is needed in order to have a trusted mechanism for authentication and other interactions that is less vulnerable to phishing and other attacks and that works for a wide variety of users and systems
• See Higgins 1.0 “Identity Selector”
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Goals: 2 of 5
• Empower users with more convenience and control over personal information distributed across external information silos.
• Provide a single point of control over multiple identities, preferences and relationships
• See Higgins 1.0 “Identity Selector”
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Goals: 3 of 5
• Provide an API and data model for the virtual integration and federation of identity and security information from a wide variety of sources
• See Higgins 1.0 “Identity Attribute Service”
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Goals: 4 of 5
• Provide plug-in adapters to enable existing data sources including directories, communications systems, collaboration systems and databases each using differing protocols and schemas to be integrated into the framework
• See Higgins 1.0 “Identity Attribute Service” “Context Provider” plugins
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Goals: 5 of 5
• Provide a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundaries
• It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles
• See Higgins 1.0 “Higgins Global Graph” data model
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The Three Layers of Solutions
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
“Identity Selector” App Solution
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Information Card (aka I-Card) User Metaphor
Managed
Personal (self-issued)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
I-Cards are managed by an Identity Selector application
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Click on a card
Identity Selector User Interface(Higgins is interoperable with Microsoft CardSpace™shown here)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
…just click and you’re registered and/or signed in!
(No more “per site” passwords)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The Identity Selector apps are powered by an interoperability framework
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Interoperability Framework
Higgins FrameworkHiggins Framework
Higgins Browser Extension
Higgins Browser Extension AppsApps Identity
ProvidersIdentity
ProvidersApps and ServicesApps and Services
CardSpaceCardSpaceProtocol Providers implement protocols for interacting with Relying Parties
Protocol Providers implement protocols for interacting with Relying Parties
OpenIDOpenID
CardSpace Managed (WS-Trust)
CardSpace Managed (WS-Trust)
RSS/AtomRSS/Atom
I-Card Providers implement identity protocols and card types
I-Card Providers implement identity protocols and card types
CardSpace PersonalCardSpace Personal
SAMLSAML X509X509
Higgins Relationship
Higgins Relationship
KerberosKerberos
JNDI / LDAPJNDI / LDAP
Enterprise Apps
Enterprise Apps
Token Providers implement different kinds of security tokens
Token Providers implement different kinds of security tokens
IdAS Context Providers connect to different identity data sources
IdAS Context Providers connect to different identity data sources
SAMLSAML
UN/PSUN/PS IdemixIdemix
RDF OWLRDF OWL
Active Directory
Active Directory
Comms ClientsComms Clients
Relying PartiesRelying Parties
Plug-insPlug-ins
Common data modelCommon data model
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Identity Selector Solutions
• Firefox-embedded Selector Solution For Firefox on Windows, Linux, and OSX (Requires hosted I-
Card Service Component)
• GTK / Cocoa Selector Solution – C++ For Firefox on Linux, FreeBSD and OSX
• RCP Selector Solution For Eclipse RCP Application
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The Three Layers of Solutions
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Identity Web Services Solutions
Identity Providers (IdPs)• STS IdP
WS-Trust Identity Provider (webapp and web service)
• SAML2 IdPSAML2 Identity Provider (webapp and web service)
Relying Parity (RP) Example Website• Extensible Protocol RP Website
I-Card enabled Relying Party site (webapp)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The Three Layers of Solutions
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Global Graph
• Provides a foundation for achieving data portability, interoperability and unification for identity, profile, preference and social relationship data about people, things or concepts
• Identity information related to identification, authentication, etc. • It also includes attributes such as preferences, interests, and
associated objects like events and things, wishlists. • It includes relational attributes representing friends and other
kinds of associations with other people, organizations, etc. • An important kind of relation, called a correlation, models a link
between different representations of the same person in different contexts (systems)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Global Graph Implementation
• Identity Attribute Service + Context Providers (plugins) • Implements the Higgins Global Graph• Can be extended using Context Providers that connect
the IdAS to various systems or data stores.
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Identity Selector Demonstration
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Global Graph Data Model
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Requirements for Interoperability
• Three things are required to achieve identity and social data interoperability:
1. A common data model (including a common schema description language)
2. An API and/or service abstraction3. Schema mapping transforms or a common schema
• #1 is addressed by the Higgins Global Graph model• #2 can be addressed using the Higgins Identity Attribute Service
(aka IdAS)• #3 is considered out of scope
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Contexts and ContextId Data Range URIs
• A Context is a data container/source• Each Context is identified by a URI
Specifically, a ContextId Data Range URI
• Examples of Contexts: Facebook social network LDAP directory PeopleSoft database Mobile phone network
A Context
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Contexts contain Nodes• Nodes are representations of entities (e.g. real
world people, groups, organizations, objects, etc.)
• Each Node is identified by a URI Specifically, a NodeId Data Range URI
R&D Dept.A Node representing your manager
A Node representing you
Context
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Nodes have zero or more Attributes• Each attribute has an attribute type (URI)• Each attribute one or more values• These values may be simple (e.g. a string) or complex (e.g. a
postal address, 3D avatar mesh, calendar event, etc.)
Node
Each attribute has one or more values
Attributes of a Node
Bob activities: plays-golf-every
Value = “Wednesday”
Value = “Saturday”
Abstract Concept
Example
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Attribute values and Data Ranges
• All simple attribute values have a base datatype that is one of the XML Schema types (e.g. string, integer, boolean, anyURI, etc.)
• They may also have syntax constraint facets (e.g. length, pattern, minInclusive) as defined by XML Schema
• Two Data Ranges are pre-defined: NodeId Data Range – a URI that identifies a Node ContextId Data Range – URI that identifies a Context
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Attribute Statements
An Attribute Statement
• An instance of a node-attribute-value triple is called an attribute Statement
• Statements may have attributes
Abstract Concept
Example
Attributes about the Statement
blue
eye-color
Bob
asserted-by
Massachusetts Department of Motor Vehiclesvalid-until Aug 17th 2010
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The NodeId Attribute• Almost all Nodes have a special NodeId attribute
whose value is a NodeId Data Range that uniquely identifies the Node within its containing Context
Node NodeId attribute
The value of the NodeId attribute identifies the Node itself
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The Node Relation Attribute• A Node Relation attribute creates a link between
two Nodes
Node
The value of a Node Relation attribute is a URI that uniquely identifies some other node
Node Relation attribute
Abstract Concept
Bob foaf:knows
Value: AliceExample Alice
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
The Node Correlation Attribute• A Node Correlation attribute creates a link
between two Nodes and implies that both nodes are representations of the same underlying Entity (e.g. person or thing)
Node
The value of a Node Correlation attribute is a URI that uniquely identifies another node representing the same Entity
Node Corelation attribute
Abstract Concept
Bob higgins:correlation
Value: “Robert Smith”Example Robert Smith
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)
Simplified Rendering of Relations
Bob correlation Value: “Alice” Alice
Bob Alice
Dotted line implies relation
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)
Simplified Rendering of Correlations
Bob correlation Value: “Robert Smith” Robert Smith
Bob Robert Smith
Solid line implies correlation
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Relation and Correlation examples
Context A Yahoo*group-22
Node Relation
In this example you have two accounts/profiles in Context A and you are also member of the Yahoo Group. You know another member of the Yahoo Group.
333 4668
@yahoo*group22 // 4668
@yahoo*group22 // 333
Identifies the Context
Identifies Node 4668
within it
NodeId Data Range (URI)
Node Correlations
A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Friends List example
e.g. Facebook
The Attribute Statement: “You know Drummond”
Drummond
A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Social Network example
Reciprocated (confirmed) link
A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
A Cross-Context example
Facebook Second LifeDept of Motor
VehiclesSocial Security Administration
Other Nodes
You
You
“Meta” Context
You
A Node representing entity #1 (e.g. you)A Node representing an entity other than entity #1 (e.g. someone other than you)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Contexts Relations and Correlations
• Contexts can have both Context Relations and Context Correlations that are analogs to Node Relations and Node Correlations respectively
• A Context Relation is a “related” Context• A Context Correlation is another Context that is a
representation of the same underlying set of Entities (e.g. the same underlying organizational department)
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Enterprise Directory example
Enterprise directory Context with two sub-Contexts
You
R&D Dept.
XYZ Corporation
Marketing Dept.
Contexts can have relationships with other Contexts. These are called Context Relations.
Your Manager
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Global Graph Specifications
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Key:
Higgins Ontology Language (HOWL)
Ontology (Schema)
RDFS / OWL
Higgins XRDS
Service Endpoints
Identifiers
Cool URIs
OpenID
XDI
Higgins Context
Descriptors
WS-Addressing
[Planned]
XRI
Discovery
XRI
v10
W3C OASIS De facto
Higgins Global Graph:Implementation Specifications
Higgins Identifiers
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Context Ontologies
• Contexts describe their ontologies using RDF/OWL• Contexts base their ontologies on higgins.owl (aka
HOWL)• Contexts are otherwise free to define their own data
schemas/ontologies• For example, a Context could define a Person, that
has eyeColor and phoneNumber attributes: Person would sub-class higgins:Node eyeColor would specialize higgins:attribute
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Adoption – Open Source Communities
• This section lists open source solutions developed external to the Higgins project, but based on Higgins Components
• Novell Bandit “DigitalMe” Identity Selector• Novell Bandit STS/IdP
Higgins-based STS/IdP service
• Eclipse ALF Project • Other Eclipse projects (Aperi and Cosmos) are
considering using Higgins
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins Adoption – Commercial
• Serena• Novell• IBM• Oracle• CA• Sxip
Higgins Tutorial | © 2008 by Parity; made available under the EPL v1.0
Higgins 1.0 – Packaged as 7 Solutions
• 3 Identity Selector Application• 2 Identity Provider Web Services• 1 Relying Party Web Service• 1 Identity Interoperability Framework (Identity Attribute
Service)
• Opportunity to answer questions about Higgins