Last May at IIW I put together a demo that bootstrapped an ID-WSF 2.0 environment from OpenID using attribute exchange powered by an ID-WSF 2.0 enabled OpenID Provider. Over the past several months I have been working with a Community Interest Corporation (CIC) in the U.K. called Mydex, building out a proof of concept Volunteered Personal Information (VPI) system. VPI is a VRM concept currently being explored as a Liberty SIG. Part of this PoC is providing an Information Card (i-card) called a VPI Card.
The Proof of Concept
We kicked off work on the PoC in London at the end of November 2008. We decided that we would be developing a VPI system and demonstrating change of address. We then decided on the technologies that we would use for delivery. This was highly dependent on who was in the room, of course, and we all left feeling happy. The building blocks would be:
- The Mydex Personal Data Store (VPI)
- Several Sample RPs
- Azigo CardPress in ‘auditing card’ mode”
- Azigo Air ICM i-card Manager and i-card Selector
- Higgins i-card Service (RPPS)
- Conor Cahill’s ID-WSF 2.0 Server Toolkit
- openLiberty Wakame
- Custom developed ID-WSF/i-card clients
Sitting in London it felt like a lot of things to wire together, but completely doable, and beers later in the evening helped to bury the hatchet. Several months later we have a working PoC with more in it than originally intended and a clearer understanding of the role that ID-WSF will play. From the user perspective the PoC is relatively simple, as it should be:
- 1. User creates an account at Mydex and is offered a VPI card.
- 2. User downloads the card and installs it in the Azigo Air ICM (new version just released!)
- 3. User goes to one of several dummy organization pages, logs in with the VPI card, and the card delivers the data from the The Mydex Personal Data Store.
When signing up for MyDex, users automatically receive a so-called Community I-Name in the form =mydex*yourname. I-Names are based on OASIS XRI technology. With every I-Name comes a set of identity services such as OpenID, a spam-free Contact Page, and the ability to unify other addresses such as a domain name, e-mail address, Skype ID, MSN number, etc. under a single identifier. I-Names are designed to represent an individual’s identity on the Internet and therefore complement the MyDex vision of user centricity and choice.
But that is not where this Proof of Concept ends. Information Cards are fantastic for providing user agent attributes at card submission. In this case, an encrypted SAML assertion is delivered through a browser plugin. Azigo uses a hosted card service, therefore your cards are available to you wherever you go. Every time the MyDex card is used, a customized token is minted for that specific request. The data comes fresh from The Mydex Personal Data Store. In our PoC, this data includes a freshly brewed ID-WSF 2.0 Endpoint Reference (EPR) — hey, that’s why I am blogging about this!
The ID-WSF Part
If the RP requests an EPR and the user allows the EPR to be sent, then an encoded discovery EPR is delivered through the i-card login. ID-WSF accounts are created on the fly at the request of the The Mydex Personal Data Store. The ID-WSF system is comprised of eight elements:
- *The Mydex Personal Data Store
- An Authentication Service - ID-WSF 2.0 WSP
- An “IdP” wrapper for the Authentication Service - ID-WSF 2.0 WSC, OpenID Provider
- A Personal Address Manager - ID-WSF 2.0 WSC, i-card RP, OpenID RP
- A Discovery Service - ID-WSF 2.0 WSP
- A Personal Profile Service - ID-WSF 2.0 WSP
- A Telephone Company - ID-WSF 2.0 WSC, i-card RP, OpenID RP
- *An Interaction Server
*indicates not id-wsf at the moment
The Mydex Personal Data Store
Not yet an ID-WSF component in the future it will likely play a WSP role. For understanding this PoC, this component is crucial. The identity starting point and data hub. Among the roles it plays are URU address verification, account creation, and integration with both the ID-WSF components and the Higgins/Parity/Azigo services. Primary Ingredients: PHP, MySQL.
Authentication Service (AS)
All WSP services are inside of Conor Cahill’s Server Toolkit. The AS comes ready with the toolkit and uses SASL over ID-WSF 2.0 messaging layer to vend a discovery EPR. This EPR is then handed off to the IdP wrapper WSC. Primary Ingredients: Java, Axis/Tomcat, Conor Cahill’s Server Toolkit, Postgres.
An “IdP” wrapper for the Authentication Service
Mydex VPI Service contacts this IdP to obtain an EPR. If there is not ID-WSF account, then this service creates one and all of its attendant bits. Primary Ingredients: Java, WebObjects, Wakame, OpenSAML, Postgres.
A Personal Address Manager (P.A.M.)
This is the same thin client that I demoed as PAdMan at IIW May 2008. It is a pure WSC and uses an EPR to bootstrap into ID-WSF. This client can be bootstrapped through an OpenID AX containing an EPR. The new work has been two fold 1) Localize for U.K. 2) bootstrap with an i-card. The user presents a Mydex VPI Card and the Azigo plugin delivers an encrypted SAML assertion containing an Discovery EPR. Ah, the power of great base frameworks, I was able to use the OpenSAML libraries that I used as the XML Tooling platform for Wakame to decrypt and deserialize the assertion! Primary Ingredients: Java, WebObjects, Wakame, OpenSAML.
A Discovery Service (DS)
Another ready for use service from Conor’s toolkit. Using TLS Bearer security mechanism, the DS vends an EPR that provides access to the User’s Personal Profile. Primary Ingredients: Java, Axis/Tomcat, Conor Cahill’s Server Toolkit, Postgres.
A Personal Profile Service (PP)
This service is built on Conor’s toolkit and is the datastore for the user’s profile and address information in the ID-WSF environment. The PAM and the Telephone company both access this store on the user’s behalf. Primary Ingredients: Java, Axis/Tomcat, Conor Cahill’s Server Toolkit, Postgres.
A Telephone Company
ID-TELE from the May 2008 IIW, but completely redone. The app is now entirely AJAX based, bootstraps from i-card, uses an interaction server to request permission from the user to subscribe to address and profile information. Primary Ingredients: Java, WebObjects, Wakame, OpenSAML, FrontBase.
An Interaction Server
This is not an ID-WSF Interaction Service, yet, but it contacts the user to obtain permission for ID-TELE to subscribe to address and profile information. Primary Ingredients: Java, WebObjects.
Demo at SXSW
Iain Henderson is at SXSW and will be showing the PoC, so if you want to see it, find Iain. The demo walks through a subscription/notification model that demonstrates the user in control with the vendor receiving up-to-date and accurate information when profile changes are made and when a future address is added.
(Thanks to Markus Sabadello for help writing the i-card and i-name portions of this post)