First Open Source Reference Implementation of IGF 1.0

Posted in ArisId, IGF, Updates by pjdhunt on the February 1st, 2010

Cross-posted from

Over the past few months, a good deal of progress has been made around IGF and the open source implementation around it. In particular, last fall, Liberty Alliance ratified the IGF 1.0 specification as final. In mid January we published ArisID 1.1, the first open source implementation of IGF 1.0. Finally in late January, we checked in the first implementation of an open source provider based on OpenDS 2.2 (more on that below).

ArisID is an API for accessing and managing personal or identity related information using CARML as an XML data model. In addition to being useful from a privacy perspective, CARML enables important new developer features:

  • The ability to automatically generate a data model in the form of Java beans.
  • The ability to use sophisticated data providers that can connect applications to personal information sources using multiple protocols and virtualization.

If the principles of using an XML data model sounds familiar, it should. ArisID follows very similar architecture to Java Persistence Architecture. The key difference is that use of the CARML data model does not assume the pre-existance of a particular database or LDAP schema. Instead, a developer is able to create an application specific data model and write code as if the data model were a straight forward database. Then, at runtime, the provider layers of the API can be configured to connect to many different types of data repositories and network configurations including multiple directories or databases. With little effort, developers are able to create sophisticated applications that have much greater deployment flexibility in the types of data sources and repositories they can support, including remote and third-party sources.

Starting with the Oracle Fusion PS2 release, Oracle began to integrating this technology into its own products, setting the stage for a new level of support for open protocols and scalable enterprise deployment scenarios. For more information on how Oracle is using IGF and ArisID in 11gR1, check out the whitepaper, “Oracle Identity Management 11gR1“.

As mentioned earlier, ArisID depends on “provider” modules to do the work of implementing data model requirements as expressed in application specific CARML declarations. At present there are now 2 implementations available:

  • The Oracle OVD Provider for ArisID “Preview” is the first provider to support the ArisID 1.0 API. A developer preview is available here. Expect an update in the next quarter regarding ArisID 1.1.
  • A brand new OpenDS 2.2 provider for ArisID is now available in the openLiberty sourceforge project repository. The new OpenDS provider allows developers to use OpenDS instead of OVD as a repository for applications using ArisID 1.1. The OpenDS Provider for ArisiD the first fully open source ArisID Provider implementation. For more information consult the readme file contained in the OpenDS Provider for ArisID distribution zip.

Project Aristotle is now moving forward with efforts to support integration into popular IDEs. As always, new contributors are always welcome, please see the web site for more information. Also, feel free to subscribe to the igf-dev mailing list.

Finally, thanks to the OpenDS team (Ludovic, Bo, Matthew) for their assistance in helping to get the first open source implementation of a provider for ArisID done. In some respects, the Oracle/Sun merger delayed a lot of this work, but now that it is done, we can get back to work and contribute more to our respective projects. As Nishant Kaushik says, Sun + Oracle = Exciting Days Ahead! By the way, click here for webcasts about Fusion Middleware and in particular Identity Management.


Phil Hunt, Oracle

Project Aristotle Wins EIC Award

Posted in ArisId, IGF by pjdhunt on the May 8th, 2009

EIC Award

I am happy to announce that Project Aristotle won an award for “Best new or improved standard” at the European Identity Conference. The win is shared with the Open Authentication (OAuth) and the Information Card Foundation (ICF).

The European Identity Award for the category “Best new or improved standard” went to the Aristotle Project for ArisID, an important enhancement of IGF (Identity Governance Frameworks) and CARML, which enhances user-friendliness of these important standards for IAM and GRC. This particular innovation had been promoted and supported by Oracle. The standardization initiative OAuth (Open Authentication) receives an award for their streamlined approach for authentication standardization, which finds a lot of market interest. The last award in this category goes to the Information Card Foundation (ICF) for standardizing the important approach of Information Cards for future identity management.

Congrats to the contributors of openLiberty, the members of Liberty Alliance TEG, as well as my colleagues at Oracle, who all contributed to the effort. Congratulations to OAuth and ICF as the co-winners!

A special thanks to Kuppinger Cole for organizing the event and for taking the time to recognize the efforts of all the award winners and of standards development in general.

Mydex CIC - Bootstrapping ID-WSF 2.0 from an Information Card

Posted in ClientLib, ID-WSF, Wakame by Asa on the March 13th, 2009

Last May at IIW I put together a demo that bootstrapped an ID-WSF 2.0 environment from OpenID using attribute exchange powered by an ID-WSF 2.0 enabled OpenID Provider. Over the past several months I have been working with a Community Interest Corporation (CIC) in the U.K. called Mydex, building out a proof of concept Volunteered Personal Information (VPI) system. VPI is a VRM concept currently being explored as a Liberty SIG. Part of this PoC is providing an Information Card (i-card) called a VPI Card.

The Proof of Concept


The Bricklayer's ArmsWe kicked off work on the PoC in London at the end of November 2008. We decided that we would be developing a VPI system and demonstrating change of address. We then decided on the technologies that we would use for delivery. This was highly dependent on who was in the room, of course, and we all left feeling happy. The building blocks would be:

Sitting in London it felt like a lot of things to wire together, but completely doable, and beers later in the evening helped to bury the hatchet. Several months later we have a working PoC with more in it than originally intended and a clearer understanding of the role that ID-WSF will play. From the user perspective the PoC is relatively simple, as it should be:

  • 1. User creates an account at Mydex and is offered a VPI card.
  • 2. User downloads the card and installs it in the Azigo Air ICM (new version just released!)
  • 3. User goes to one of several dummy organization pages, logs in with the VPI card, and the card delivers the data from the The Mydex Personal Data Store.

When signing up for MyDex, users automatically receive a so-called Community I-Name in the form =mydex*yourname. I-Names are based on OASIS XRI technology. With every I-Name comes a set of identity services such as OpenID, a spam-free Contact Page, and the ability to unify other addresses such as a domain name, e-mail address, Skype ID, MSN number, etc. under a single identifier. I-Names are designed to represent an individual’s identity on the Internet and therefore complement the MyDex vision of user centricity and choice.

But that is not where this Proof of Concept ends. Information Cards are fantastic for providing user agent attributes at card submission. In this case, an encrypted SAML assertion is delivered through a browser plugin. Azigo uses a hosted card service, therefore your cards are available to you wherever you go. Every time the MyDex card is used, a customized token is minted for that specific request. The data comes fresh from The Mydex Personal Data Store. In our PoC, this data includes a freshly brewed ID-WSF 2.0 Endpoint Reference (EPR) — hey, that’s why I am blogging about this!

The ID-WSF Part


If the RP requests an EPR and the user allows the EPR to be sent, then an encoded discovery EPR is delivered through the i-card login. ID-WSF accounts are created on the fly at the request of the The Mydex Personal Data Store. The ID-WSF system is comprised of eight elements:

  • *The Mydex Personal Data Store
  • An Authentication Service - ID-WSF 2.0 WSP
  • An “IdP” wrapper for the Authentication Service - ID-WSF 2.0 WSC, OpenID Provider
  • A Personal Address Manager - ID-WSF 2.0 WSC, i-card RP, OpenID RP
  • A Discovery Service - ID-WSF 2.0 WSP
  • A Personal Profile Service - ID-WSF 2.0 WSP
  • A Telephone Company - ID-WSF 2.0 WSC, i-card RP, OpenID RP
  • *An Interaction Server

*indicates not id-wsf at the moment

The Mydex Personal Data Store

Not yet an ID-WSF component in the future it will likely play a WSP role. For understanding this PoC, this component is crucial. The identity starting point and data hub. Among the roles it plays are URU address verification, account creation, and integration with both the ID-WSF components and the Higgins/Parity/Azigo services. Primary Ingredients: PHP, MySQL.

Authentication Service (AS)

All WSP services are inside of Conor Cahill’s Server Toolkit. The AS comes ready with the toolkit and uses SASL over ID-WSF 2.0 messaging layer to vend a discovery EPR. This EPR is then handed off to the IdP wrapper WSC. Primary Ingredients: Java, Axis/Tomcat, Conor Cahill’s Server Toolkit, Postgres.

An “IdP” wrapper for the Authentication Service

Mydex VPI Service contacts this IdP to obtain an EPR. If there is not ID-WSF account, then this service creates one and all of its attendant bits. Primary Ingredients: Java, WebObjects, Wakame, OpenSAML, Postgres.

A Personal Address Manager (P.A.M.)

This is the same thin client that I demoed as PAdMan at IIW May 2008. It is a pure WSC and uses an EPR to bootstrap into ID-WSF. This client can be bootstrapped through an OpenID AX containing an EPR. The new work has been two fold 1) Localize for U.K. 2) bootstrap with an i-card. The user presents a Mydex VPI Card and the Azigo plugin delivers an encrypted SAML assertion containing an Discovery EPR. Ah, the power of great base frameworks, I was able to use the OpenSAML libraries that I used as the XML Tooling platform for Wakame to decrypt and deserialize the assertion! Primary Ingredients: Java, WebObjects, Wakame, OpenSAML.

A Discovery Service (DS)

Another ready for use service from Conor’s toolkit. Using TLS Bearer security mechanism, the DS vends an EPR that provides access to the User’s Personal Profile. Primary Ingredients: Java, Axis/Tomcat, Conor Cahill’s Server Toolkit, Postgres.

A Personal Profile Service (PP)

This service is built on Conor’s toolkit and is the datastore for the user’s profile and address information in the ID-WSF environment. The PAM and the Telephone company both access this store on the user’s behalf. Primary Ingredients: Java, Axis/Tomcat, Conor Cahill’s Server Toolkit, Postgres.

A Telephone Company

ID-TELE from the May 2008 IIW, but completely redone. The app is now entirely AJAX based, bootstraps from i-card, uses an interaction server to request permission from the user to subscribe to address and profile information. Primary Ingredients: Java, WebObjects, Wakame, OpenSAML, FrontBase.

An Interaction Server

This is not an ID-WSF Interaction Service, yet, but it contacts the user to obtain permission for ID-TELE to subscribe to address and profile information. Primary Ingredients: Java, WebObjects.

Demo at SXSW


Iain Henderson is at SXSW and will be showing the PoC, so if you want to see it, find Iain. The demo walks through a subscription/notification model that demonstrates the user in control with the vendor receiving up-to-date and accurate information when profile changes are made and when a future address is added.

(Thanks to Markus Sabadello for help writing the i-card and i-name portions of this post)

Wakame at OpenSAML 2.2.3

Posted in ClientLib, Updates by Asa on the January 17th, 2009

The Wakame Project is now using the latest OpenSAML libraries which are now in version 2.2.3, released December 21, 2008. The update was relatively painless and provides improved memory usage:

This release contains a few minor bug fixes and a significant
improvement in memory usage. This improvement is especially profound
for metadata which is usually kept in memory. An average metadata file
should see about a 60-70% decrease in consumed memory when it is loaded.

Wakame is now being used in an interesting project based in the U.K. - as soon as this becomes public I’ll tell you more. We are now working on completing the People Service Client. Once this has been completed, Wakame will be a fully functioning ID-WSF 2.0 WSC Library.

If you live in New England, I hope you are enjoying the cold snap. I just returned from balmy Oslo where there seems to be an almost perpetual sunset during the 6 daylight hours this time of year.

ArisID Webcast Presentation & Demo Video

Posted in ArisId, IGF, meeting by pjdhunt on the December 11th, 2008

Thanks to all who attended the webcast on ArisID this morning!  It’s always great to talk about this stuff and share ideas!

A copy of the presentation can be obtained here.

Also, as promised, here is a video of the Sonic Records ArisID demonstration.  You can view it online here.  Or, you can download the full-size video here (24MB).


Webcast on ArisID - Dec 11, at 8AM PDT

Posted in ArisId, IGF, meeting by pjdhunt on the December 5th, 2008

Re-post from

From Liberty Alliance:

ArisID, the first open source software implementing Liberty Identity Governance Framework (IGF) components, provides enterprise developers and system architects with a library for building enterprise-grade identity-enabled applications using multiple identity protocols, and lays the groundwork for allowing enterprises to manage and audit the identity requirements of business applications based on declarative IGF policy specifications. This webcast will provide participants with an overview of the ArisID API, discuss benefits for developers and enterprises, and review the project roadmap. Developers will understand how to begin using ArisID to build IGF-based applications and the identity community and vendors will gain insight into how the open source ArisID API and information providers help fulfill multi-protocol identity management requirements.


For those of you who have been following my blog, you’ll know I have been talking for sometime about IGF and the need for a declarative identity API in order to making identity services more relevant to developers. Here’s your chance to see more about what I’ve been talking about all this time.


Announcing Project Aristotle

Posted in ArisId, IGF by pjdhunt on the November 19th, 2008

For some time now, there has been a lot of work going on at OpenLiberty to design a new “declarative” API that enables application developers to write applications that consume, and manage identity information in a way that allows infrastructure components take care of all the nasty problems like
* Which protocol to use
* What data providers are appropriate for the current transaction
* How do I write robust code given that I don’t know the protocols or APIs very well?

Well, the answer is here. Release 1.0 of ArisId is now available at OpenLiberty.

The ArisID API implements the CARML (Client Attribute Requirements Markup Language) and Privacy Constraints IGF specifications Liberty Alliance released earlier this year. ArisID demonstrates how CARML and Privacy Constraints policies may be used by developers to create declarative identity applications. The open source ArisID declarative approach defines what identity-enabled transactions can be performed to ensure applications only use identity information required to complete a transaction. This allows developers to build secure identity-enabled enterprise applications that are easily auditable and protect the personally identifiable information (PII), such as a social security number or credit information, of people engaging in enterprise identity-enabled transactions.

Be sure to read the full press release here.

I would like to thank my Oracle colleagues who have contributed to the project, as well as the members of OpenLiberty for hosting this project. There is much more to come, stay tuned!

Further reading:
* Open Liberty Project Aristotle Wiki
* Liberty Alliance Press Release
* Frequently Asked Questions
* Oracle Provider for ArisID
* IGF Standards and CARML Specifications

Bootstrapping ID-WSF 2.0 with OpenID Presentation

Posted in ClientLib, Updates by Asa on the May 20th, 2008

IIW Spring 2008 was excellent. The energy was all about collaboration. Cardspace/Infocard, OpenID, and Liberty (SAMLv2/ID-WSF 2.0) were all represented well. The focus was on how to pull these technologies together, leveraging the best parts of each. So the setting was perfect for the convergence demo that I had prepared, bootstrapping ID-WSF 2.0 with OpenID. The demo was 4 applications: RED-ID an OpenID Provider (OP) and an ID-WSF Client, providing attributes through OpenID Attribute extensions which originated from the user’s ID-WSF Profile Service.

Take a look at the presentation overview

Comments Off

IIW 2008

Posted in Uncategorized by Asa on the May 12th, 2008

I am in Mountain View, surfing on google’s ubiquitous wifi, finishing up preparations for my IIW demo. It has been a very busy (yet somewhat behind the scene) couple of months for OpenLiberty — I will be posting some cool announcements later this week.

What I am presenting is an ID-WSF environment based on OpenLiberty code that is bootstrapped through an OpenID server. I know, I know… I am breaking cardinal rules, sinning in the eyes of the identity gods (who also care about privacy and trust) — but it is a cool demo. I am also in the process of building the same demo using a SAMLv2 IdP and zxid. After I give the demo I’ll be working on making it available in some form on the Internet.

The weather here is great. I have seen more MacBook Airs than anywhere else, maybe google employees like them. If you are in Mountain view and you wanna hook up, talk identity, send me a note using asa dot openliberty at zenn dot net .

Recent Updates On The Attribute Services Project

Posted in ClientLib, IGF by pjdhunt on the April 2nd, 2008

There has been a lot of activity lately on the Attribute Services API (IGF). Since milestone 0.2 was published, we have recently checked in updates to reflect the new IGF-CARML-09 draft and checked in a first implementation of WS-Policy support for the API. Milestone 0.3 is well on its way to completion!

We still have yet to implement a provider to a full function protocol adapter like Higgins IdAS, but that should come in Milestone 0.4 or so.

For now, I’d like to encourage folks to check out the API. We’re looking for was to further simplify the developer’s experience and make it attractive. You’ll notice, after declaring the data used by the application that using the API is dramatically trivial compared to older APIs like JNDI or JDBC. Still there is more that could be done.


Next Page »