Higgins1: A species of Tasmanian long-tailed
mouse
2: An open source identity framework being developed at the Eclipse Foundation
Sections
1. Higgins 1.0– What we released in Feb 2008
2. Higgins 1.1– What we’re working on (or in some
cases just thinking about) for June 2009
3. Beyond Higgins 1.1
Copyright © 2008 Parity. Made available under EPL 1.0 2
Section One: Higgins 1.0Released February 2008
Commercial products based on Higgins 1.0 have been announced
by Novell, Serena, Computer Associates and IBM
Copyright © 2008 Parity. Made available under EPL 1.0 3
Higgins is an Identity Framework
Enables users and applications to integrate identity, profile,
and social relationship information across multiple data sources and protocols.
4Copyright © 2008 Parity. Made available under EPL 1.0
End-users experience Higgins through the UI metaphor of
Information Cards using an app called an Identity Selector
Information Cards and selectors are just tip of the iceberg of what
can be done with Higgins, but it’s a place to start…
5Copyright © 2008 Parity. Made available under EPL 1.0
Today you go from site to site filling in forms and passwords
Copyright © 2008 Parity. Made available under EPL 1.0 6
Type, type, type. Click, click. Here a password, there a password. Everywhere a password.Here a form, there a form, ...
Websites…
Information Cards Put You in Control
Copyright © 2008 Parity. Made available under EPL 1.0 7
Each card is a slice of the digital you (or a friend of yours) held in some data silo.
Any kind of information:your preferences, favorite songs, employee id numbers, drivers licenses, affiliations, your health plan id, ...you get the idea, can be accessed using a card.
This wallet-like thing is an app called an Identity Selector
Higgins Identity Selectors
Copyright © 2008 Parity. Made available under EPL 1.0 8
Identity SelectorsIdentity
Selectors
Identity Attribute ServiceIdentity Attribute Service
Identity ProvidersIdentity
ProvidersRelying PartiesRelying Parties
Client Apps, Web Services, Web appsClient Apps, Web Services, Web apps
Identity ServicesIdentity Services
Identity ProvidersIdentity
ProvidersIdentity
SelectorsIdentity
Selectors
Identity SelectorsIdentity
Selectors
How to Use I-Cards
• By clicking on a card you can log into sites. No more passwords
• You can share cards with friends and businesses you trust
• Some [relationship] cards create permanent connections to your friends, communities and businesses
9
Click
Identity Selector “Wallet”Click on a card to send it to a site
Copyright © 2008 Parity. Made available under EPL 1.0 10
Higgins is interoperable with Microsoft CardSpace™ shown here
Identity SelectorCard-based Sign-in
• Per-site passwords are eliminated• Instead, the selector posts a security
token that is validated by the relying site
• Provides some anti-phishing protection
Copyright © 2008 Parity. Made available under EPL 1.0 11
Identity SelectorSupported Card Types
Copyright © 2008 Parity. Made available under EPL 1.0 12
Managed What some other entity says about you
Personal What you say about you
Identity SelectorsThree Flavors in Higgins 1.0
• Firefox-embedded Selector (Javascript)– For Firefox on Windows, Linux, and OSX – Uses hosted I-Card Service Component
• GTK / Cocoa Selector (C++)– For Firefox on Linux, FreeBSD, and OSX– Available as DigitalMe™ from Novell
• RCP Selector (Java)– For Eclipse RCP Application
13Copyright © 2008 Parity. Made available under EPL 1.0
Identity SelectorsCards and Tokens Flow
Identity Selector
Browser Extension & Client App
Identity Provider
Relying Party Website or App
Cards are generated and downloaded from here. A local Token Service issues tokens as requested by Selector.
Cards are stored and selected here
Tokens containing claim data is requested and received here
Identity SelectorsCards and Tokens Flow
Identity Selector
Browser Extension & Client App
Identity Provider
Relying Party
Some Higgins Identity Selectors rely on a
hosted I-Card Service component
UserUser
Identity Provider
Relying Website
Token Service
Browser
Browser Extensio
n
Identity Selector
InternetInternet
Key:
Generic Technology
Generic Technology
Higgins Components
Identity Selector Component View
RP Librarie
s
RP Librarie
s
Selector Selector
Higgins Identity
Selectors. Client apps for Windows, OSX
and Linux
I-CardWeb
Service
UserUser
Identity Provider
Relying Website
Token Service
Browser
Browser Extensio
n
Identity Selector
InternetInternet
Key:
Generic Technology
Higgins Components
Identity Selector Selector Selector – Component View
RP Librarie
s
RP Librarie
s
Selector Selector
Higgins includes a Higgins Selector Selector
component (Windows-only)
Provides an abstraction layer
that decouples browser
extensions from selectors.
I-CardWeb
Service
ArchitectureIdentity Providers
Copyright © 2008 Parity. Made available under EPL 1.0 18
Identity SelectorsIdentity
SelectorsIdentity
ProvidersIdentity
ProvidersRelying PartiesRelying Parties
Client Apps, Web Services, Web appsClient Apps, Web Services, Web apps
Identity ProvidersIdentity
ProvidersIdentity
SelectorsIdentity
Selectors
Identity SelectorsIdentity
Selectors
Identity Attribute ServiceIdentity Attribute Service
Identity ServicesIdentity Services
Identity Provider
Relying Website
Token Service
Browser
Browser Extensio
n
Identity Selector
InternetInternet
Key:
Generic Technology
Higgins Components
Identity Providers Component View
19
RP Librarie
s
RP Librarie
s
Selector Selector
Higgins Token/IdP Service is used by the
Identity Provider website
UserUser
Identity ProvidersTwo Flavors
• WS-Trust Security Token Service / IdP– Java WS-Trust Identity Provider–Web service– Sample web site
• SAML2 IdP– Java SAML2 Identity Provider–Web service
Copyright © 2008 Parity. Made available under EPL 1.0 20
ArchitectureRelying Party Website
Copyright © 2008 Parity. Made available under EPL 1.0 21
Identity SelectorsIdentity
SelectorsIdentity
ProvidersIdentity
ProvidersRelying PartiesRelying Parties
Client Apps, Web Services, Web appsClient Apps, Web Services, Web apps
Identity ProvidersIdentity
ProvidersIdentity
SelectorsIdentity
Selectors
Identity SelectorsIdentity
Selectors
Identity Attribute ServiceIdentity Attribute Service
Identity ServicesIdentity Services
Identity Provider
Relying Website
Token Service
Browser
Browser Extensio
n
Identity Selector
InternetInternet
Relying Party Website Component View
22
RP Librarie
s
RP Librarie
s
Selector Selector
Higgins RP Website provides code to
validate tokens from Identity
Selectors
Key:Key:
Generic Technology
Higgins Components
UserUser
Relying Party WebsiteMulti-Protocol Support
• Multi-Protocol Relying Party Website Enablement – Information Card authentication– OpenID authentication
Copyright © 2008 Parity. Made available under EPL 1.0 23
ArchitectureIdentity Services
Copyright © 2008 Parity. Made available under EPL 1.0 24
Identity SelectorsIdentity
Selectors
Identity Attribute ServiceIdentity Attribute Service
Identity ProvidersIdentity
ProvidersRelying PartiesRelying Parties
Client Apps, Web Services, Web appsClient Apps, Web Services, Web apps
Identity ServicesIdentity Services
Identity ProvidersIdentity
ProvidersIdentity
SelectorsIdentity
Selectors
Identity SelectorsIdentity
Selectors
ArchitectureExtensible Identity Services
Copyright © 2008 Parity. Made available under EPL 1.0 25
CardSpace
CardSpace
Protocol Provider-Plugins
Implement RP protocols
Protocol Provider-Plugins
Implement RP protocols
OpenIDOpenID
ManagedManagedI-Card Provider-Plugins Implement card types
I-Card Provider-Plugins Implement card types
PersonalPersonal
SAMLSAML X509X509
RelationshipRelationship
KerberosKerberosToken Provider-PluginsImplement security tokensToken Provider-PluginsImplement security tokens
UN/PWUN/PW IdemixIdemix
Plug-insPlug-ins
Identity ServicesIdentity Services
Login (un/pw)Login (un/pw)
Key:Key:
Beyond Higgins 1.0
Beyond Higgins 1.0
Higgins 1.0Higgins 1.0
ArchitectureIdentity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 26
Identity SelectorsIdentity
Selectors
Identity Attribute ServiceIdentity Attribute Service
Identity ProvidersIdentity
ProvidersRelying PartiesRelying Parties
Client Apps, Web Services, Web appsClient Apps, Web Services, Web apps
Identity ServicesIdentity Services
Identity ProvidersIdentity
ProvidersIdentity
SelectorsIdentity
Selectors
Identity SelectorsIdentity
Selectors
ArchitectureExtensible Identity Attribute Service
Copyright © 2008 Parity. Made available under EPL 1.0 27
Identity Attribute Service (IdAS)Identity Attribute Service (IdAS)
LDAPLDAP XML FileXML File
IdAS Context Providers-Plugins Connect to existing data sources
IdAS Context Providers-Plugins Connect to existing data sources
RDFRDF Google ContactsGoogle
ContactsOthers
…Others
…
Plug-insPlug-ins
Key:Key:
Beyond Higgins 1.0
Beyond Higgins 1.0
Higgins 1.0Higgins 1.0
Identity Attribute Service
• The Context Data Model is implemented by Identity Attribute Service
• Contexts may be accessed using IdAS may employ a variety of authentication approaches
• The contained Entities may be inspected, navigated and or modified based on authorization policy of the Context
• IdAS is extended by Context Providers (plugins)
• Context Providers map existing data sources into the Higgins Context Data Model Copyright © 2008 Parity. Made available under EPL 1.0 28
Identity Attribute ServiceContext Data Model (CDM)
• Data sources are called Contexts– E.g. enterprise directories, social
networks, RDF repositories• Contexts contain objects called Entities– Entities represent people, organizations,
etc.• Entities have Attributes; Attributes
have values• The core semantics of the model are
based on RDF & OWL
Copyright © 2008 Parity. Made available under EPL 1.0 29
Identity Attribute ServiceCDM extends RDF
• Globally linked data– Higgins uses UDIs not just HTTP URIs – Some EntityId UDI ids may be globally
resolved into a global object graph • Supports protocols beyond HTTP– Uses XRDS discovery of UDI endpoint
metadata, including protocol for data access• Read and write access – Access Control management & enforcement
Copyright © 2008 Parity. Made available under EPL 1.0 30
ArchitectureInteroperability Points
Copyright © 2008 Parity. Made available under EPL 1.0 31
Identity SelectorsIdentity
Selectors
Identity Attribute ServiceIdentity Attribute Service
Identity ProvidersIdentity
ProvidersRelying PartiesRelying Parties
Client Apps, Web Services, Web appsClient Apps, Web Services, Web apps
Identity ServicesIdentity Services
Identity ProvidersIdentity
ProvidersIdentity
SelectorsIdentity
Selectors
Identity SelectorsIdentity
Selectors
Interoperability Event Participants
RSA 2008
32Copyright © 2008 Parity. Made available under EPL 1.0
Interoperability Event Participants
RSA 2008
33Copyright © 2008 Parity. Made available under EPL 1.0
Section Two: Higgins 1.1
June 2009
Copyright © 2008 Parity. Made available under EPL 1.0 34
AIR-Based Selector
• Based on Adobe AIR– Integrates with Firefox, IE, and Safari– Runs on Windows, OSX and soon Linux–More secure
• Replaces the Firefox-embedded selector
Copyright © 2008 Parity. Made available under EPL 1.0 35
Identity Attribute Service Access Control Enhancements
• Policy query API• Policy management API• Policy semantics modeled directly as
Policy Entities and attributes
Copyright © 2008 Parity. Made available under EPL 1.0 36
Identity Attribute Service New Context Providers
• Google Contacts• Open Social• Facebook F8 • Wrappers for various ID-WSF services
(maybe)
Copyright © 2008 Parity. Made available under EPL 1.0 37
Identity Attribute ServiceXDI Protocol Support
• XDI Engine provides a new binding for the IdAS Service– Allows any/all attribute data managed
by IdAS to be exposed as an XDI data service
• XDI Context Provider– Allows IdAS to read/write XDI-native
data sources
Copyright © 2008 Parity. Made available under EPL 1.0 38
Relationship Cards
Relationship CardWhat you and Best Buy say about you
39Copyright © 2008 Parity. Made available under EPL 1.0
Relationship Cards Human Friendly Data References
• Card holds a UDI (URI) reference:– A ContextId that identifies a data
source, and– A local EntityId object within the context
• See http://parity.com/udi
Copyright © 2008 Parity. Made available under EPL 1.0 40
Data object (called an Entity)
Relationship Cards Data Location and Authority
• Best Buy issued card• Entity is stored in Best Buy’s data center• Best Buy is authoritative over some
attributes• You are authoritative over some attributes
(e.g. street address) Copyright © 2008 Parity. Made available under EPL 1.0 41
Relationship CardsData Model
• The Entity is described by the Higgins Context Data Model
• Can be accessed using the Identity Attribute Service
42Copyright © 2008 Parity. Made available under EPL 1.0
Other New Card Types
• Username/Password Card– To log in to traditional un/pw sites
• SAML Card (aka S-card) [maybe]– Uses SAML protocol to retrieve token
• Idemix card (aka Z-card) [maybe]– Support for a new privacy-enhancing token
type based on zero-knowledge proofs– Improved support for selective disclosure
Copyright © 2008 Parity. Made available under EPL 1.0 43
OpenID Provider
Identity Provider
Relying Website
I-CardWeb
ServiceToken
Service
BrowserBrowser
Browser Extensio
n
Identity Selector
InternetInternet
Key:
Generic Technology
Higgins Components
Selector as an OpenID Service
44
RP Librarie
s
RP Librarie
s
Selector Selector
OpenID 2.0 OP with
associated Higgins
Selector Service
UserUser
ID-WSF Support (maybe)
• There have been some recent, focused discussions on the integration of Higgins and ID-WSF
• Higgins I-Card Service could implement:– ID-WSF Discovery Service– ID-WSF Authentication Service (I think)
• Higgins Context Providers would be written for various ID-WSF services
• Integration with R-Cards and XRDS• Would rely on the OpenLiberty.org code
baseCopyright © 2008 Parity. Made available under EPL 1.0 45
IdAS Client Component (maybe)
46
Section Three: Beyond Higgins 1.1
Mobile Higgins
Higgins project is seeking project funding and/or
contributions to develop a Higgins selector for mobile
platforms
Copyright © 2008 Parity. Made available under EPL 1.0 47
Target Platforms
• Symbian• RIM• Windows Mobile 6• iPhone• Android• Etc.
Copyright © 2008 Parity. Made available under EPL 1.0 48
Paul Trevithick Mary [email protected] [email protected]+1.617.513.7924 +1.617.290.8591
Project Co-leadshttp://higgins-project.org
Copyright © 2008 Parity. Made available under EPL 1.0 49
AppendixOriginal Project Goals
50Copyright © 2008 Parity. Made available under EPL 1.0
Goals: 1 of 5
• Provide a consistent user experience based on card icons for the management and release of identity data
• This is needed in order to have a trusted mechanism for authentication and other interactions that is less vulnerable to phishing and other attacks and that works for a wide variety of users and systems
• See Higgins 1.0 Identity Selector51Copyright © 2008 Parity. Made available under EPL 1.0
Goals: 2 of 5
• Empower users with more convenience and control over personal information distributed across external information silos
• Provide a single point of control over multiple identities, preferences and relationships
• See Higgins 1.0 Identity Selector
52Copyright © 2008 Parity. Made available under EPL 1.0
Goals: 3 of 5
• Provide an API and data model for the virtual integration and federation of identity and security information from a wide variety of sources
• See Higgins 1.0 Framework
53Copyright © 2008 Parity. Made available under EPL 1.0
Goals: 4 of 5
• Provide plug-in adapters to enable existing data sources including directories, communications systems, collaboration systems and databases each using differing protocols and schemas to be integrated into the framework
• See Higgins 1.0 Identity Attribute Service and Context Providers (plugins)
54Copyright © 2008 Parity. Made available under EPL 1.0
Goals: 5 of 5
• Provide a social relationship data integration framework that enables these relationships to be persistent and reusable across application boundaries
• It organizes relationships into a set of distinct social contexts within which a person expresses different personas and roles
• See Higgins 1.0 Context Data Model (CDM)
55Copyright © 2008 Parity. Made available under EPL 1.0