More Related Content Similar to Higgins Overview 2008 [Compatibility Mode] Similar to Higgins Overview 2008 [Compatibility Mode] (20) Higgins Overview 2008 [Compatibility Mode]1. Higgins
1: A species of Tasmanian long-tailed mouse
2: An open source identity framework being
developed at the Eclipse Foundation
2. Sections
1. Higgins 1.0
– What we released in Feb 2008
2. Higgins 1.1
– What we’re working on (or in some cases
just thinking about) for June 2009
3. Beyond Higgins 1.1
Copyright © 2008 Parity. Made available under EPL 1.0 2
3. Section One: Higgins 1.0
Released February 2008
Commercial products based on Higgins
1.0 have been announced by Novell,
Serena, Computer Associates and IBM
Copyright © 2008 Parity. Made available under EPL 1.0 3
4. Higgins is an Identity
Framework
Enables users and applications to
integrate identity, profile, and social
relationship information across
multiple data sources and
protocols.
Copyright © 2008 Parity. Made available under EPL 1.0 4
5. End-users experience Higgins
through the UI metaphor of
Information Cards using an app
called an Identity Selector
Information Cards and selectors are just
tip of the iceberg of what can be done
with Higgins, but it’s a place to start…
Copyright © 2008 Parity. Made available under EPL 1.0 5
6. Today you go from site to site filling in
forms and passwords
Websites…
Type, type, type. Click, click.
Here a password, there a password.
Everywhere a password.
Here a form, there a form, ...
Copyright © 2008 Parity. Made available under EPL 1.0 6
7. Information Cards Put You in Control
Each card is a slice of the
digital you (or a friend of
yours) held in some data
silo. Any kind of information:
your preferences, favorite
songs, employee id numbers,
This wallet-like thing is drivers licenses, affiliations,
an app called an your health plan id, ...you
Identity Selector get the idea, can be accessed
using a card.
Copyright © 2008 Parity. Made available under EPL 1.0 7
8. Higgins Identity Selectors
Client Apps, Web Services, Web apps
Identity
Identity
Selectors Identity
Identity Identity Relying
Selectors Providers
Selectors Providers Parties
Identity Services
Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 8
9. How to Use I-Cards
• By clicking on a card you can log into
sites. No more passwords
• You can share cards with friends and
businesses you trust
• Some [relationship] cards create
permanent connections to your friends,
communities and businesses
9
10. Identity Selector “Wallet”
Click on a card to send it to a site
Click
Higgins is interoperable
with Microsoft
CardSpace™ shown
here
Copyright © 2008 Parity. Made available under EPL 1.0 10
11. Identity Selector
Card-based Sign-in
• Per-site passwords are eliminated
• Instead, the selector posts a security token
that is validated by the relying site
• Provides some anti-phishing protection
Copyright © 2008 Parity. Made available under EPL 1.0 11
12. Identity Selector
Supported Card Types
Managed
What some other entity
says about you
Personal
What you say about you
Copyright © 2008 Parity. Made available under EPL 1.0 12
13. Identity Selectors
Three Flavors in Higgins 1.0
• Firefox-embedded Selector (Javascript)
– For Firefox on Windows, Linux, and OSX
– Uses hosted I-Card Service Component
• GTK / Cocoa Selector (C++)
– For Firefox on Linux, FreeBSD, and OSX
– Available as DigitalMe™ from Novell
• RCP Selector (Java)
– For Eclipse RCP Application
Copyright © 2008 Parity. Made available under EPL 1.0 13
14. Identity Selectors
Cards and Tokens Flow
Cards are generated and Tokens containing claim data
downloaded from here. is requested and received here
A local Token Service
issues tokens as
requested by Selector.
Identity
Selector Relying Party
Website or App
Browser Extension
& Client App
Identity
Provider
Cards are stored and
selected here
15. Identity Selectors
Cards and Tokens Flow
Some Higgins Identity
Selectors rely on a hosted
I-Card Service component
Identity
Selector Relying
Party
Browser Extension
& Client App
Identity
Provider
16. Identity Selector
Component View
I-Card
Web Token Identity Relying
Service Service Provider Website
RP
Libraries
Internet
Higgins Identity
Selectors. Client
apps for Browser
Extension
Selector
Selector
Windows, OSX
Identity
and Linux Browser Selector Key:
Higgins
Components
Generic
Technology
User
17. Identity Selector
Selector Selector – Component View
Higgins includes a I-Card
Web Token Identity Relying
Higgins Selector Service Service Provider Website
Selector component RP
Libraries
(Windows-only)
Internet
Provides an
abstraction layer
that decouples Browser Selector
browser extensions Extension Selector
from selectors. Browser
Identity
Key:
Selector
Higgins
Components
Generic
Technology
User
18. Architecture
Identity Providers
Client Apps, Web Services, Web apps
Identity
Identity
Selectors Identity
Identity Identity Relying
Selectors Providers
Selectors Providers Parties
Identity Services
Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 18
19. Identity Providers
Component View
Higgins Token/IdP Service
Token Identity Relying
is used by the Identity Service Provider Website
Provider website RP
Libraries
Internet
Browser Selector
Extension Selector
Identity
Browser Selector Key:
Higgins
Components
Generic
Technology
User
19
20. Identity Providers
Two Flavors
• WS-Trust Security Token Service / IdP
– Java WS-Trust Identity Provider
– Web service
– Sample web site
• SAML2 IdP
– Java SAML2 Identity Provider
– Web service
Copyright © 2008 Parity. Made available under EPL 1.0 20
21. Architecture
Relying Party Website
Client Apps, Web Services, Web apps
Identity
Identity
Selectors Identity
Identity Identity Relying
Selectors Providers
Selectors Providers Parties
Identity Services
Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 21
22. Relying Party Website
Component View
Higgins RP Website
provides code to validate Token
Service
Identity
Provider
Relying
Website
tokens from Identity RP
Selectors Libraries
Internet
Browser Selector
Extension Selector
Identity
Browser Selector Key:
Higgins
Components
Generic
Technology
User
22
23. Relying Party Website
Multi-Protocol Support
• Multi-Protocol Relying Party Website
Enablement
– Information Card authentication
– OpenID authentication
Copyright © 2008 Parity. Made available under EPL 1.0 23
24. Architecture
Identity Services
Client Apps, Web Services, Web apps
Identity
Identity
Selectors Identity
Identity Identity Relying
Selectors Providers
Selectors Providers Parties
Identity Services
Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 24
25. Architecture
Extensible Identity Services
Key:
Higgins 1.0
Beyond Identity Services
Higgins 1.0
Plug-ins
Protocol Provider-Plugins CardSpace OpenID
Implement RP protocols
I-Card Provider-Plugins Managed Personal Relationship Login (un/pw)
Implement card types
Token Provider-Plugins SAML UN/PW Kerberos X509 Idemix
Implement security tokens
Copyright © 2008 Parity. Made available under EPL 1.0 25
26. Architecture
Identity Attribute Service
Client Apps, Web Services, Web apps
Identity
Identity
Selectors Identity
Identity Identity Relying
Selectors Providers
Selectors Providers Parties
Identity Services
Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 26
27. Architecture
Extensible Identity Attribute Service
Identity Attribute Service (IdAS)
Plug-ins
Google
LDAP XML File RDF Others…
Contacts
Key:
IdAS Context Providers-Plugins Higgins 1.0
Connect to existing data sources Beyond
Higgins 1.0
Copyright © 2008 Parity. Made available under EPL 1.0 27
28. Identity Attribute Service
• The Context Data Model is implemented by
Identity Attribute Service
• Contexts may be accessed using IdAS may employ
a variety of authentication approaches
• The contained Entities may be inspected,
navigated and or modified based on authorization
policy of the Context
• IdAS is extended by Context Providers (plugins)
• Context Providers map existing data sources into
the Higgins Context Data Model
Copyright © 2008 Parity. Made available under EPL 1.0 28
29. Identity Attribute Service
Context Data Model (CDM)
• Data sources are called Contexts
– E.g. enterprise directories, social networks,
RDF repositories
• Contexts contain objects called Entities
– Entities represent people, organizations, etc.
• Entities have Attributes; Attributes have
values
• The core semantics of the model are based
on RDF & OWL
Copyright © 2008 Parity. Made available under EPL 1.0 29
30. Identity Attribute Service
CDM extends RDF
• Globally linked data
– Higgins uses UDIs not just HTTP URIs
– Some EntityId UDI ids may be globally
resolved into a global object graph
• Supports protocols beyond HTTP
– Uses XRDS discovery of UDI endpoint
metadata, including protocol for data access
• Read and write access
– Access Control management & enforcement
Copyright © 2008 Parity. Made available under EPL 1.0 30
31. Architecture
Interoperability Points
Client Apps, Web Services, Web apps
Identity
Identity
Selectors Identity
Identity Identity Relying
Selectors Providers
Selectors Providers Parties
Identity Services
Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 31
35. AIR-Based Selector
• Based on Adobe AIR
– Integrates with Firefox, IE, and Safari
– Runs on Windows, OSX and soon Linux
– More secure
• Replaces the Firefox-embedded selector
Copyright © 2008 Parity. Made available under EPL 1.0 35
36. Identity Attribute Service
Access Control Enhancements
• Policy query API
• Policy management API
• Policy semantics modeled directly as
Policy Entities and attributes
Copyright © 2008 Parity. Made available under EPL 1.0 36
37. Identity Attribute Service
New Context Providers
• Google Contacts
• Open Social
• Facebook F8
• Wrappers for various ID-WSF services
(maybe)
Copyright © 2008 Parity. Made available under EPL 1.0 37
38. Identity Attribute Service
XDI Protocol Support
• XDI Engine provides a new binding for
the IdAS Service
– Allows any/all attribute data managed by
IdAS to be exposed as an XDI data service
• XDI Context Provider
– Allows IdAS to read/write XDI-native data
sources
Copyright © 2008 Parity. Made available under EPL 1.0 38
39. Relationship Cards
Relationship Card
What you and Best Buy say about you
Copyright © 2008 Parity. Made available under EPL 1.0 39
40. Relationship Cards
Human Friendly Data References
Data object
(called an
Entity)
• Card holds a UDI (URI) reference:
– A ContextId that identifies a data source, and
– A local EntityId object within the context
• See http://parity.com/udi
Copyright © 2008 Parity. Made available under EPL 1.0 40
41. Relationship Cards
Data Location and Authority
• Best Buy issued card
• Entity is stored in Best Buy’s data center
• Best Buy is authoritative over some attributes
• You are authoritative over some attributes
(e.g. street address)
Copyright © 2008 Parity. Made available under EPL 1.0 41
42. Relationship Cards
Data Model
• The Entity is described by the Higgins
Context Data Model
• Can be accessed using the Identity
Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 42
43. Other New Card Types
• Username/Password Card
– To log in to traditional un/pw sites
• SAML Card (aka S-card) [maybe]
– Uses SAML protocol to retrieve token
• Idemix card (aka Z-card) [maybe]
– Support for a new privacy-enhancing token
type based on zero-knowledge proofs
– Improved support for selective disclosure
Copyright © 2008 Parity. Made available under EPL 1.0 43
44. Selector as an OpenID Service
OpenID 2.0 OP OpenID
I-Card
Web Token Identity Relying
with associated Provider Service Service Provider Website
Higgins Selector RP
Libraries
Service
Internet
Browser Selector
Extension Selector
Identity
Browser Selector Key:
Higgins
Components
Generic
Technology
User
44
45. ID-WSF Support (maybe)
• There have been some recent, focused
discussions on the integration of Higgins and
ID-WSF
• Higgins I-Card Service could implement:
– ID-WSF Discovery Service
– ID-WSF Authentication Service (I think)
• Higgins Context Providers would be written
for various ID-WSF services
• Integration with R-Cards and XRDS
• Would rely on the OpenLiberty.org code
base
Copyright © 2008 Parity. Made available under EPL 1.0 45
47. Section Three:
Beyond Higgins 1.1
Mobile Higgins
Higgins project is seeking project
funding and/or contributions to
develop a Higgins selector for
mobile platforms
Copyright © 2008 Parity. Made available under EPL 1.0 47
48. Target Platforms
• Symbian
• RIM
• Windows Mobile 6
• iPhone
• Android
• Etc.
Copyright © 2008 Parity. Made available under EPL 1.0 48
49. Project Co-leads
http://higgins-project.org
Paul Trevithick Mary Ruddy
paul@socialphysics.org mary@socialphysics.org
+1.617.513.7924 +1.617.290.8591
Copyright © 2008 Parity. Made available under EPL 1.0 49
50. Appendix
Original Project Goals
Copyright © 2008 Parity. Made available under EPL 1.0 50
51. Goals: 1 of 5
• Provide a consistent user experience
based on card icons for the management
and release of identity data
• This is needed in order to have a trusted
mechanism for authentication and other
interactions that is less vulnerable to
phishing and other attacks and that works
for a wide variety of users and systems
• See Higgins 1.0 Identity Selector
Copyright © 2008 Parity. Made available under EPL 1.0 51
52. Goals: 2 of 5
• Empower users with more convenience
and control over personal information
distributed across external information
silos
• Provide a single point of control over
multiple identities, preferences and
relationships
• See Higgins 1.0 Identity Selector
Copyright © 2008 Parity. Made available under EPL 1.0 52
53. Goals: 3 of 5
• Provide an API and data model for the
virtual integration and federation of
identity and security information from a
wide variety of sources
• See Higgins 1.0 Framework
Copyright © 2008 Parity. Made available under EPL 1.0 53
54. Goals: 4 of 5
• Provide plug-in adapters to enable
existing data sources including
directories, communications systems,
collaboration systems and databases each
using differing protocols and schemas to
be integrated into the framework
• See Higgins 1.0 Identity Attribute Service
and Context Providers (plugins)
Copyright © 2008 Parity. Made available under EPL 1.0 54
55. Goals: 5 of 5
• Provide a social relationship data
integration framework that enables these
relationships to be persistent and reusable
across application boundaries
• It organizes relationships into a set of distinct
social contexts within which a person
expresses different personas and roles
• See Higgins 1.0 Context Data Model (CDM)
Copyright © 2008 Parity. Made available under EPL 1.0 55