Cross-posted from independentidentity.blogspot.com

Over the past few months, a good deal of progress has been made around IGF and the open source implementation around it. In particular, last fall, Liberty Alliance ratified the IGF 1.0 specification as final. In mid January we published ArisID 1.1, the first open source implementation of IGF 1.0. Finally in late January, we checked in the first implementation of an open source provider based on OpenDS 2.2 (more on that below).

ArisID is an API for accessing and managing personal or identity related information using CARML as an XML data model. In addition to being useful from a privacy perspective, CARML enables important new developer features:

• The ability to automatically generate a data model in the form of Java beans.
• The ability to use sophisticated data providers that can connect applications to personal information sources using multiple protocols and virtualization.

If the principles of using an XML data model sounds familiar, it should. ArisID follows very similar architecture to Java Persistence Architecture. The key difference is that use of the CARML data model does not assume the pre-existance of a particular database or LDAP schema. Instead, a developer is able to create an application specific data model and write code as if the data model were a straight forward database. Then, at runtime, the provider layers of the API can be configured to connect to many different types of data repositories and network configurations including multiple directories or databases. With little effort, developers are able to create sophisticated applications that have much greater deployment flexibility in the types of data sources and repositories they can support, including remote and third-party sources.

Starting with the Oracle Fusion PS2 release, Oracle began to integrating this technology into its own products, setting the stage for a new level of support for open protocols and scalable enterprise deployment scenarios. For more information on how Oracle is using IGF and ArisID in 11gR1, check out the whitepaper, “Oracle Identity Management 11gR1“.

As mentioned earlier, ArisID depends on “provider” modules to do the work of implementing data model requirements as expressed in application specific CARML declarations. At present there are now 2 implementations available:

• The Oracle OVD Provider for ArisID “Preview” is the first provider to support the ArisID 1.0 API. A developer preview is available here. Expect an update in the next quarter regarding ArisID 1.1.
• A brand new OpenDS 2.2 provider for ArisID is now available in the openLiberty sourceforge project repository. The new OpenDS provider allows developers to use OpenDS instead of OVD as a repository for applications using ArisID 1.1. The OpenDS Provider for ArisiD the first fully open source ArisID Provider implementation. For more information consult the readme file contained in the OpenDS Provider for ArisID distribution zip.

Project Aristotle is now moving forward with efforts to support integration into popular IDEs. As always, new contributors are always welcome, please see the OpenLiberty.org web site for more information. Also, feel free to subscribe to the igf-dev mailing list.

Finally, thanks to the OpenDS team (Ludovic, Bo, Matthew) for their assistance in helping to get the first open source implementation of a provider for ArisID done. In some respects, the Oracle/Sun merger delayed a lot of this work, but now that it is done, we can get back to work and contribute more to our respective projects. As Nishant Kaushik says, Sun + Oracle = Exciting Days Ahead! By the way, click here for webcasts about Fusion Middleware and in particular Identity Management.

Cheers,

Phil Hunt, Oracle

The Wakame Project is now using the latest OpenSAML libraries which are now in version 2.2.3, released December 21, 2008. The update was relatively painless and provides improved memory usage:

This release contains a few minor bug fixes and a significant
improvement in memory usage. This improvement is especially profound
for metadata which is usually kept in memory. An average metadata file
should see about a 60-70% decrease in consumed memory when it is loaded.

Wakame is now being used in an interesting project based in the U.K. - as soon as this becomes public I’ll tell you more. We are now working on completing the People Service Client. Once this has been completed, Wakame will be a fully functioning ID-WSF 2.0 WSC Library.

If you live in New England, I hope you are enjoying the cold snap. I just returned from balmy Oslo where there seems to be an almost perpetual sunset during the 6 daylight hours this time of year.

IIW Spring 2008 was excellent. The energy was all about collaboration. Cardspace/Infocard, OpenID, and Liberty (SAMLv2/ID-WSF 2.0) were all represented well. The focus was on how to pull these technologies together, leveraging the best parts of each. So the setting was perfect for the convergence demo that I had prepared, bootstrapping ID-WSF 2.0 with OpenID. The demo was 4 applications: RED-ID an OpenID Provider (OP) and an ID-WSF Client, providing attributes through OpenID Attribute extensions which originated from the user’s ID-WSF Profile Service.

Take a look at the presentation overview

This is the official announcement for the beta release of the ID-WSF 2.0 ClientLib! We have been working like mad to get this release out (hence the photo with this post). Lots of new code was cut, lots of old code was gutted or reworked, and there are many new features.

This release marks excellent progress, but there is still a lot of work to do. The beta is not bug free nor is it thoroughly tested. It is ready for other people to sink their teeth into and give feedback, make requests, or write some code. For development purposes we are currently testing against two ID-WSF WSPs and have access to a third (HP Select Federation) which we hope to have working with the library before Version 1 release planned later this year.

This beta would not have been possible without help from a number of people. Notably Conor Cahill, Sampo Kellomäki, and Scott Cantor & the OpenSAML guys. Luckily these people also wrote many of the specifications documents.

What’s New:

• Liberty SOAP Bindings fully implemented
• Handling of CredentialsContext
• Handling of EndpointUpdate
• Added WSFMessageSigner
• TLS and ClientTLS support
• Bearer & SAMLv2 Support (Signing!)
• CRAM-MD5 SASL Authentication
• Addition of ID-SIS-DAP XML Tooling and basic Service Client
• Addition of WSCUtilities to simplify basic ID-* operations
• Simplified approach to creating OpenSAML XML Tooling classes (Element, marshaller, unmarshaller, and builder as a self contained unit)
• javadoc now available
• sample code available
• switched from HttpURLConnection to not-yet-commons-ssl for transport
• Added BaseServiceClient
• Reworked the website to get you to the code faster
• Testing has begun with Symlabs Federated Identity

What remains:

• Lots of testing
• Liberty Certification
• OpenLiberty public testing environment
• compress the Tooling Objects that rely on 4 classes into 1 as per the new method
• sample application using the library
• more utility methods
• Build out: ID-SIS-DAP, People Service
• More Service Clients: ID-SIS SMS and MMS, Contact Book (ID-SIS-CB), SSOService …

If you have questions or interest, please send me a note at asa.openlibertyREMOVEIT@zenn.net (remove the REMOVEIT from the email).

Also, I will be in Santa Clara at the Liberty Alliance plenary meeting, all week. On Monday I’ll be presenting the library. If you are in the area or at the plenary and you want to check it out, do some coding, interop, anything just send me a note and I’ll send you my cell #.

The BETA deadline (February 16th) is rapidly approaching! With this in mind there are two major goals. The first is to have signing enabled and the second is to have an ID-SIS-DAP service client(SC) available. Development on the ID-SIS-DAP SC is going very well and has been a good learning experience. Here’s why:

The ID-WSF2.0 ClientLib uses OpenSAML xmltooling, ws, and saml libraries. There are no xsd code generators for the java-xmltooling classes, so I have spent a great deal of time becoming acquainted with the xsd for the various liberty specifications. I also spend a lot of time writing marshallers, unmarshallers, and builders. So for each element, there is the potential for 4 files. This gets big really fast. With the ID-SIS-DAP SC I began to embed the marshaller, unmarshaller, and builder inside the element class as static internal classes. Yay!! This has taken care of a tremendous amount of clutter, and generally helps with readability.

If you are using OpwnSAML’s java-xmltooling and you want to use this method, make sure that the classes are static, and reference the internal classes in the config file like this:

<MarshallingClass className=”org.openliberty.xmltooling.idsis.dap.DAPModifyItem$Marshaller” />

Notice the “$” between DAPModifyItem and Marshaller. This indicates that Marshaller is an internal class to DAPModifyItem.

Oh, and from Chad at OpenSAML:

The Java OpenSAML 2.0 Release Candidate 2 release is now available at the normal download site.

http://shibboleth.internet2.edu/downloads/opensaml/java/

This release includes minor bug fixes found in RC1 and includes the generated javadocs. This is the last release candidate and the next release will be the final 2.0 release.

The ClientLib tests fine with RC2.

Late news, but still very relevant. Earlier this month we took the alpha to Boston for a presentation at the Jan 8-10 TEG Interim, and interoperability testing with Symlabs Federated Identity Suite. We also made a visit to Parity Communications to meet with members of the Higgins Project to discuss some project synergies. Brett will follow with a post that has more details.

The presentation at the TEG Interim lasted about an hour and covered as many aspects of the project as possible. We discussed the website and the tools we’re using for collaboration, we went through some code, specifically the non standard DST 2.1 based Profile Service, and discussed briefly the trajectory of the project as a whole. Our next deadline (BETA), approaching quickly, is two days after Valentine’s Day, February 16th!!!! Not sure why we keep choosing deadline right around holidays, but there you have it.

The big news from going to Boston was having a chance to meet with Sampo Kellomäki, the Chief Architect at Symlabs. Sampo is extremely knowledgeable in the development and practice of ID-WSF and has written several Liberty specifications. He also has an open source project ZXID, which is aiming for a full stack implementation of all federated identity management and identity web services protocols. ZXID is written in c and supports PERL, PHP, and Java. It is 95% ID-WSF 2.0 feature complete. We are planning on testing with ZXID as soon as possible, using the Java support.

In Boston Sampo and I tested the ClientLib against Symlabs Federated Identity Suite. We successfully authenticated using the Symlabs AS and pulled a Discovery EPR. We then used the Discovery EPR to get another Discovery EPR from the DS. This was fun, and it all went off really well. So, we went to Boston and celebrated. The next day we did some more work and were able to use the DST 2.1 reference implementation to create a ID-DAP query and parse the response. ID-DAP (which is part of Symlabs Federated Identity) provides federated identity based access to an LDAP directory. It is a great example of an in production service that utilizes DST 2.1.

Overall it was a very successful trip. I learned a lot, did some testing, made some friends, and came back to Berkshire County in one piece. Keep your eyes open for the BETA an Feb 16th!

We are very pleased to announce that, after many setbacks and challenges, the ClientLib Alpha is now available online! As of this build, it is possible to use the AS client and the DS client with Conor Cahill’s WSP. The Personal Profile Service Client (operating on DST 2.1) is now complete — and there is now a shell of a People Service Client as well.

To enable you to begin experimenting with this build, we’ve put together a simple quick start, involving 5 simple steps. Please feel free to take a look and let us know what you think, but bear in mind that this is still Alpha code!

A new draft of the IGF Attribute Services API (aka CARML API) has been posted. Also, a couple examples of uses of the IGF “stack” have been added to the wiki.

Your comments and feedback greatly appreciated!

Enjoy.

Prateek Mishra has contributed a new further reading section to the IGF Wiki. Check it out here.

This marks my first post, and the start of the IGF Project at openLiberty.

The Identity Governance Framework (IGF) is now the second project at openLiberty.org. IGF will help you enable your identity-consuming applications to bind governance policies (consent and constraints) to the identity data you receive and ensure those policies are enforced whenever any other IGF-enabled application tries to access that data at a later time.

From today’s press release…

“Consisting of nearly 50 subscribers with leadership and representation from HP, Intel, Internet2/Shibboleth and OpenSAML, openLiberty.org is an open source community open to everyone interested in advancing open source Liberty Web Services and now IGF implementations. openLiberty.org will develop a set of open source libraries and technologies based on the Apache 2.0 license that developers and vendors can use to build products that consume, provide and manage identity-related information based on the IGF protocols. Developers, individuals and organizations can get more information and join the openLiberty.org IGF community here.”

A brief overview of the market requirements use case document is available here.

For those of you wanting to follow updates to the IGF project, keep an eye on this blog. I will also continue to post more general articles over at the IdentityPrivacy blog.

I also want to thank all of the Liberty member organizations who have contributed to getting the Market Requirements Document done. Their contributions have really begun to crystalize the IGF requirements. Now we all have to work hard to make IGF “real” through actual implementation and standards definition!

Other sites of interest:

• Liberty Alliance - IGF Strategic Initiative
• Oracle Technology Network - IGF Draft Specifications & Overview

…/Phil