HigginsHiggins1: A species of Tasmanian long-tailed mouse

2: An open source identity framework being developed at the Eclipse Foundation

Sections

1. Higgins 1.0

– What we released in Feb 2008

2. Higgins 1.1

– What we’re working on (or in some cases – What we’re working on (or in some cases just thinking about) for June 2009

3. Beyond Higgins 1.1

Copyright © 2008 Parity. Made available under EPL 1.0 2

Section One: Higgins 1.0Released February 2008

Commercial products based on Higgins 1.0 have been announced by Novell, Serena, Computer Associates and IBM

Copyright © 2008 Parity. Made available under EPL 1.0 3

Higgins is an Identity Framework

Enables users and applications to integrate identity, profile, and social integrate identity, profile, and social relationship information across multiple data sources and

protocols.

4Copyright © 2008 Parity. Made available under EPL 1.0

End-users experience Higgins through the UI metaphor of

Information Cards using an app called an Identity Selector

Information Cards and selectors are just tip of the iceberg of what can be done with Higgins, but it’s a place to start…

5Copyright © 2008 Parity. Made available under EPL 1.0

Today you go from site to site filling in forms and passwords

Websites…

Copyright © 2008 Parity. Made available under EPL 1.0 6

Type, type, type. Click, click. Here a password, there a password. Everywhere a password.Here a form, there a form, ...

Information Cards Put You in Control

Each card is a slice of the digital you (or a friend of

Copyright © 2008 Parity. Made available under EPL 1.0 7

digital you (or a friend of yours) held in some data silo. Any kind of information:

your preferences, favorite songs, employee id numbers, drivers licenses, affiliations, your health plan id, ...you get the idea, can be accessed using a card.

This wallet-like thing is an app called an Identity Selector

Higgins Identity Selectors

Identity Selectors

Identity Providers

Relying Parties

Client Apps, Web Services, Web apps

Identity Providers

Identity Selectors

Identity Selectors

Copyright © 2008 Parity. Made available under EPL 1.0 8

Identity Attribute ServiceIdentity Attribute Service

Identity ServicesIdentity Services

How to Use I-Cards

• By clicking on a card you can log into sites. No more passwords

• You can share cards with friends and businesses you trustbusinesses you trust

• Some [relationship] cards create permanent connections to your friends, communities and businesses

9

Identity Selector “Wallet”Click on a card to send it to a site

Click

Copyright © 2008 Parity. Made available under EPL 1.0 10

Higgins is interoperable with Microsoft CardSpace™ shown here

Identity SelectorCard-based Sign-in

• Per-site passwords are eliminated• Instead, the selector posts a security token that is validated by the relying site

• Provides some anti-phishing protection• Provides some anti-phishing protection

Copyright © 2008 Parity. Made available under EPL 1.0 11

Identity SelectorSupported Card Types

Managed What some other entity says about you

Copyright © 2008 Parity. Made available under EPL 1.0 12

says about you

Personal What you say about you

Identity SelectorsThree Flavors in Higgins 1.0

• Firefox-embedded Selector (Javascript)– For Firefox on Windows, Linux, and OSX – Uses hosted I-Card Service Component

• GTK / Cocoa Selector (C++)– For Firefox on Linux, FreeBSD, and OSX– Available as DigitalMe™ from Novell

• RCP Selector (Java)– For Eclipse RCP Application

13Copyright © 2008 Parity. Made available under EPL 1.0

Identity SelectorsCards and Tokens Flow

Identity Selector Relying Party

Cards are generated and downloaded from here. A local Token Service issues tokens as requested by Selector.

Tokens containing claim data is requested and received here

Selector

Browser Extension & Client App

Identity Provider

Relying Party Website or App

Cards are stored and selected here

Identity SelectorsCards and Tokens Flow

Identity Selector Relying

Some Higgins Identity Selectors rely on a hosted I-Card Service component

Selector

Browser Extension & Client App

Identity Provider

Relying Party

Identity Provider

Relying Website

Token Service

InternetInternet

Identity SelectorComponent View

RP Libraries

I-CardWeb Service

UserUser

Browser

Browser Extension

Identity Selector

InternetInternet

Key:

Generic TechnologyGeneric

Technology

Higgins Components

Selector Selector

Higgins Identity Selectors. Client

apps for Windows, OSX

and Linux

Identity Provider

Relying Website

Token Service

InternetInternet

Identity SelectorSelector Selector – Component View

RP Libraries

Higgins includes a Higgins Selector

Selector component (Windows-only)

Provides an

I-CardWeb Service

UserUser

Browser

Browser Extension

Identity Selector

InternetInternet

Key:

Generic Technology

Higgins Components

Selector Selector

Provides an abstraction layer that decouples

browser extensions from selectors.

ArchitectureIdentity Providers

Identity Selectors

Identity Providers

Relying Parties

Client Apps, Web Services, Web apps

Identity Providers

Identity Selectors

Identity Selectors

Copyright © 2008 Parity. Made available under EPL 1.0 18

Identity Attribute ServiceIdentity Attribute Service

Identity ServicesIdentity Services

Identity Provider

Relying Website

Token Service

InternetInternet

Identity Providers Component View

RP Libraries

Higgins Token/IdP Service is used by the Identity

Provider website

Browser

Browser Extension

Identity Selector

InternetInternet

Key:

Generic Technology

Higgins Components

19

Selector Selector

UserUser

Identity ProvidersTwo Flavors

• WS-Trust Security Token Service / IdP– Java WS-Trust Identity Provider–Web service– Sample web site – Sample web site

• SAML2 IdP– Java SAML2 Identity Provider–Web service

Copyright © 2008 Parity. Made available under EPL 1.0 20

ArchitectureRelying Party Website

Identity Selectors

Identity Providers

Relying Parties

Client Apps, Web Services, Web apps

Identity Providers

Identity Selectors

Identity Selectors

Copyright © 2008 Parity. Made available under EPL 1.0 21

Identity Attribute ServiceIdentity Attribute Service

Identity ServicesIdentity Services

Identity Provider

Relying Website

Token Service

InternetInternet

Relying Party Website Component View

RP Libraries

Higgins RP Website provides code to validate

tokens from Identity Selectors

Browser

Browser Extension

Identity Selector

InternetInternet

22

Selector Selector

Key:Key:

Generic Technology

Higgins Components

UserUser

Relying Party WebsiteMulti-Protocol Support

• Multi-Protocol Relying Party Website Enablement

– Information Card authentication– OpenID authentication– OpenID authentication

Copyright © 2008 Parity. Made available under EPL 1.0 23

ArchitectureIdentity Services

Identity Selectors

Identity Providers

Relying Parties

Client Apps, Web Services, Web apps

Identity Providers

Identity Selectors

Identity Selectors

Copyright © 2008 Parity. Made available under EPL 1.0 24

Identity Attribute ServiceIdentity Attribute Service

Identity ServicesIdentity Services

ArchitectureExtensible Identity Services

Plug-ins

Identity ServicesIdentity Services

Key:Key:

Beyond Higgins 1.0Beyond Higgins 1.0

Higgins 1.0Higgins 1.0

Copyright © 2008 Parity. Made available under EPL 1.0 25

CardSpaceProtocol Provider-PluginsImplement RP protocols

OpenID

ManagedI-Card Provider-PluginsImplement card types

Personal

SAML X509

Relationship

KerberosToken Provider-PluginsImplement security tokens

UN/PW Idemix

Login (un/pw)

ArchitectureIdentity Attribute Service

Identity Selectors

Identity Providers

Relying Parties

Client Apps, Web Services, Web apps

Identity Providers

Identity Selectors

Identity Selectors

Copyright © 2008 Parity. Made available under EPL 1.0 26

Identity Attribute ServiceIdentity Attribute Service

Identity ServicesIdentity Services

ArchitectureExtensible Identity Attribute Service

Identity Attribute Service (IdAS)Identity Attribute Service (IdAS)

Copyright © 2008 Parity. Made available under EPL 1.0 27

LDAP XML File

IdAS Context Providers-PluginsConnect to existing data sources

RDFGoogle Contacts

Others…

Plug-ins

Key:Key:

Beyond Higgins 1.0Beyond Higgins 1.0

Higgins 1.0Higgins 1.0

Identity Attribute Service

• The Context Data Model is implemented by Identity Attribute Service

• Contexts may be accessed using IdAS may employ a variety of authentication approaches

• The contained Entities may be inspected, • The contained Entities may be inspected, navigated and or modified based on authorization policy of the Context

• IdAS is extended by Context Providers (plugins) • Context Providers map existing data sources into the Higgins Context Data Model

Copyright © 2008 Parity. Made available under EPL 1.0 28

Identity Attribute ServiceContext Data Model (CDM)

• Data sources are called Contexts– E.g. enterprise directories, social networks, RDF repositories

• Contexts contain objects called Entities• Contexts contain objects called Entities– Entities represent people, organizations, etc.

• Entities have Attributes; Attributes have values

• The core semantics of the model are based on RDF & OWL

Copyright © 2008 Parity. Made available under EPL 1.0 29

Identity Attribute ServiceCDM extends RDF

• Globally linked data– Higgins uses UDIs not just HTTP URIs – Some EntityId UDI ids may be globally resolved into a global object graph

• Supports protocols beyond HTTP– Uses XRDS discovery of UDI endpoint metadata, including protocol for data access

• Read and write access – Access Control management & enforcement

Copyright © 2008 Parity. Made available under EPL 1.0 30

ArchitectureInteroperability Points

Identity Selectors

Identity Providers

Relying Parties

Client Apps, Web Services, Web apps

Identity Providers

Identity Selectors

Identity Selectors

Copyright © 2008 Parity. Made available under EPL 1.0 31

Identity Attribute ServiceIdentity Attribute Service

Identity ServicesIdentity Services

Interoperability Event ParticipantsRSA 2008

32Copyright © 2008 Parity. Made available under EPL 1.0

Interoperability Event ParticipantsRSA 2008

33Copyright © 2008 Parity. Made available under EPL 1.0

Section Two: Higgins 1.1

June 2009

Copyright © 2008 Parity. Made available under EPL 1.0 34

AIR-Based Selector

• Based on Adobe AIR– Integrates with Firefox, IE, and Safari– Runs on Windows, OSX and soon Linux–More secure–More secure

• Replaces the Firefox-embedded selector

Copyright © 2008 Parity. Made available under EPL 1.0 35

Identity Attribute ServiceAccess Control Enhancements

• Policy query API• Policy management API• Policy semantics modeled directly as • Policy semantics modeled directly as Policy Entities and attributes

Copyright © 2008 Parity. Made available under EPL 1.0 36

Identity Attribute Service New Context Providers

• Google Contacts• Open Social• Facebook F8 • Facebook F8 • Wrappers for various ID-WSF services (maybe)

Copyright © 2008 Parity. Made available under EPL 1.0 37

Identity Attribute ServiceXDI Protocol Support

• XDI Engine provides a new binding for the IdAS Service

– Allows any/all attribute data managed by IdAS to be exposed as an XDI data serviceIdAS to be exposed as an XDI data service

• XDI Context Provider– Allows IdAS to read/write XDI-native data sources

Copyright © 2008 Parity. Made available under EPL 1.0 38

Relationship Cards

Relationship CardWhat you and Best Buy say about you

39Copyright © 2008 Parity. Made available under EPL 1.0

Relationship Cards Human Friendly Data References

Data object (called an Entity)

• Card holds a UDI (URI) reference:– A ContextId that identifies a data source, and– A local EntityId object within the context

• See http://parity.com/udi

Copyright © 2008 Parity. Made available under EPL 1.0 40

Relationship Cards Data Location and Authority

• Best Buy issued card• Entity is stored in Best Buy’s data center• Best Buy is authoritative over some attributes• You are authoritative over some attributes (e.g. street address)

Copyright © 2008 Parity. Made available under EPL 1.0 41

Relationship CardsData Model

• The Entity is described by the Higgins Context Data Model

• Can be accessed using the Identity Attribute Service

42Copyright © 2008 Parity. Made available under EPL 1.0

Other New Card Types

• Username/Password Card– To log in to traditional un/pw sites

• SAML Card (aka S-card) [maybe]– Uses SAML protocol to retrieve token– Uses SAML protocol to retrieve token

• Idemix card (aka Z-card) [maybe]– Support for a new privacy-enhancing token type based on zero-knowledge proofs

– Improved support for selective disclosure

Copyright © 2008 Parity. Made available under EPL 1.0 43

OpenID Provider

Identity Provider

Relying Website

I-CardWeb Service

Token Service

InternetInternet

Selector as an OpenID Service

RP Libraries

OpenID 2.0 OP with associated Higgins Selector

Service

BrowserBrowser

Browser Extension

Identity Selector

InternetInternet

Key:

Generic Technology

Higgins Components

44

Selector Selector

UserUser

ID-WSF Support (maybe)

• There have been some recent, focused discussions on the integration of Higgins and ID-WSF

• Higgins I-Card Service could implement:– ID-WSF Discovery Service– ID-WSF Discovery Service– ID-WSF Authentication Service (I think)

• Higgins Context Providers would be written for various ID-WSF services

• Integration with R-Cards and XRDS• Would rely on the OpenLiberty.org code base

Copyright © 2008 Parity. Made available under EPL 1.0 45

IdAS Client Component (maybe)

46

Section Three: Beyond Higgins 1.1

Mobile HigginsMobile Higgins

Higgins project is seeking project funding and/or contributions to develop a Higgins selector for

mobile platforms

Copyright © 2008 Parity. Made available under EPL 1.0 47

Target Platforms

• Symbian• RIM• Windows Mobile 6• iPhone• iPhone• Android• Etc.

Copyright © 2008 Parity. Made available under EPL 1.0 48

Project Co-leadshttp://higgins-project.org

Paul Trevithick Mary Ruddypaul@socialphysics.org mary@socialphysics.org+1.617.513.7924 +1.617.290.8591

Copyright © 2008 Parity. Made available under EPL 1.0 49

AppendixOriginal Project Goals

50Copyright © 2008 Parity. Made available under EPL 1.0

Goals: 1 of 5

• Provide a consistent user experience based on card icons for the management and release of identity data

• This is needed in order to have a trusted • This is needed in order to have a trusted mechanism for authentication and other interactions that is less vulnerable to phishing and other attacks and that works for a wide variety of users and systems

• See Higgins 1.0 Identity Selector

51Copyright © 2008 Parity. Made available under EPL 1.0

Goals: 2 of 5

• Empower users with more convenience and control over personal information distributed across external information silos silos

• Provide a single point of control over multiple identities, preferences and relationships

• See Higgins 1.0 Identity Selector

52Copyright © 2008 Parity. Made available under EPL 1.0

Goals: 3 of 5

• Provide an API and data model for the virtual integration and federation of identity and security information from a wide variety of sourceswide variety of sources

• See Higgins 1.0 Framework

53Copyright © 2008 Parity. Made available under EPL 1.0

Goals: 4 of 5

• Provide plug-in adapters to enable existing data sources including directories, communications systems, collaboration systems and databases each collaboration systems and databases each using differing protocols and schemas to be integrated into the framework

• See Higgins 1.0 Identity Attribute Service and Context Providers (plugins)

54Copyright © 2008 Parity. Made available under EPL 1.0

Goals: 5 of 5

• Provide a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundariesacross application boundaries

• It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles

• See Higgins 1.0 Context Data Model (CDM)

55Copyright © 2008 Parity. Made available under EPL 1.0