ArisIdFAQ

From OpenLiberty.org Wiki
Jump to: navigation, search

OpenLiberty.org

Contents

Project Aristotle FAQ

What is the Aristotle Project?

The Aristotle Project, an open source community working within OpenLiberty.org is focused on developing a single open source API for existing identity technologies such as LDAP, as well as for federation protocols such as SAML, Liberty Identity Web Services (ID-WSF), OpenID and WS-Trust. The goal of the Aristotle Project is to create an open source programming interface that can communicate with identity services libraries called “ArisID Providers.” To build these providers, the Aristotle Project community is beginning work with technology vendors and other open source communities to adapt existing technology libraries for use as providers under the ArisID API.

Who is participating in the Aristotle Project? Who can join?

Members of the Aristotle Project currently include representatives from Liberty Alliance, but the group is open to all developers, individuals and organizations interested in furthering the advancement of declarative identity systems. Membership in Liberty Alliance is not a requirement for participation in the Aristotle Project or OpenLiberty.org.

What is the Identity Governance Framework?

The Liberty Identity Governance Framework (IGF) provides privacy and governance semantics to applications and services infrastructure. IGF is an open standards-based initiative designed to help organizations better govern and protect identity-related employee, customer and partner information as it flows across heterogeneous applications and networks. IGF is about the secure and appropriate exchange of identity-related information between users, applications and service providers, both within an organization and across external systems. The ArisID API implements the IGF CARML (Client Attribute Requirements Markup Language) and Privacy Constraints specifications Liberty Alliance released earlier this year.

Why is the ArisID API needed?

Business applications depend upon identity data that is stored and handled in an ever increasing complex set of architectures, that represent many different usage patterns across several different forms of relationships between users, applications, and authoritative identity sources. Developers and architects lack a methodology that doesn't introduce tight coupling to particular databases, directories, or web services. Tight coupling leads to flexibility and interoperability issues that create architectural and vendor lock-in - leading many developers in the past to avoid using services architectures for identity and opt for standalone identity silo designs.

One of the benefits of introducing Identity Governance is the use of CARML XML declarations to create an application data model that can be mapped to services infrastructure in much the same way as TopLink and Java Persistence Architecture.

ArisID frees developers from having to make protocol, schema, and architecture decisions that would limit the usability and deployability of their application in an evolving and ever complex enterprise network, where a large number of identity sources and protocols are used. By relying on a layered architecture as implemented by the ArisID libraries, developers can ensure maximum flexibility and use of their applications while significantly reducing development time.

What is a declarative identity system?

A declarative identity system is where client applications (or relying parties) declare in advance what identity data an application uses and what transactions it will perform with that data. This serves three important purposes.

  1. The declaration can be used as important information in a “Privacy Impact Assessment” ensuring that an application conforms to an enterprise’s corporate policies.
  2. The declaration can be used by identity services libraries and infrastructure components to map and interconnect client applications to appropriate authoritative identity sources.
  3. These declarations can provide additional metadata to attribute authorities (e.g., Identity Providers) to help decide whether specific transactions meet specific policy and privacy requirements.

What is CARML?

The CARML specification is an XML document that developers use to describe the identity data and transactions used by a service or application. The data types may include identity attributes, predicates (e.g. “Is an Adult”), and roles (e.g. “Manager,” “Business Class Flier”) that an application requires. The data definitions may be based on industry standards, but it can also be specific to an application. Once created, CARML is then used as a data model for the application. The data model can be used to generate Aris Identity Beans and to flexibly map the application to different data sources over different protocols.

At deployment time, the CARML data model can be used by infrastructure managers to define how specific attributes, predicates, or roles are mapped to existing or new enterprise identity system schema and sources. The second part of the CARML declaration are the transactions that will be performed using the schema defined by the applications. This allows identity service middleware components to be configured to meet application needs

Why is multi-protocol so important?

There are many different identity systems in existence today. Some are based on SQL Databases, many are based on LDAP Directories. Still newer systems are evolving based on SAML, WS-Trust, Liberty Identity Web Services (ID-WSF), and OpenID. In order to meet the needs of the widest set of applications, it is clear that an API must be able to support access to identity information regardless of how it is stored or what protocol is used to access it. The multi-protocol approach forms the bases of the ArisID API.

What is “enterprise-grade” open source?

Enterprise-grade means taking the secure computing and development practices found in enterprise systems development, and applying it to an open source project. Developers of enterprise applications, whether commercial or open source, expect to be able to depend this open source project as if it were any other commercial enterprise software product. The Project Aristotle community is working to deliver enterprise-grade open source software.

What benefits does the ArisID API declarative approach provide to developers?

The declarative approach greatly simplifies the actual API used by developers to access and manipulate identity information. Because an XML declaration is created in advance, many of the parameters required in popular APIs like JNDI, or even JDBC, are eliminated. The API is able to react more intelligently because it has the full context of what the developer wants to happen in advance. Rather than the developer having to worry about configuring and connectivity to data sources, middleware components (such as the ArisID Provider) are able to manage and handle connectivity and protocol translation on behalf of the application.

ArisID Beans are a good example. The ArisID Beans module of the ArisID API takes the CARML declaration (or data model) and generates java beans. Each ArisID bean represents a specific instance of a subject identity with schema and methods corresponding to the declaration in the CARML declaration. For each bean type generated, a manager class, manages the life-cycle of entity beans. This gives the application its own notion of entity lifecycle management while at the same time, being able to intelligently interact with external enterprise identity services.

What benefits does ArisID deliver to governments and organizations?

The misuse of identity data is a serious risk and source of liability for governments and organizations. IGF allows governments and organizations to audit and document how identity data is being used by services and applications and also the constraints governing its use. ArisID delivers a valid implementation of IGF specifications. This means that governments and organizations can now begin to demand IGF compliance for all applications that consume and use identity information. Enterprises using applications using the ArisID API enjoy the benefit of having an application compliant with the IGF specifications, enabling much greater ease to perform privacy impact assessments, as well as simplified deployment and integration with existing enterprise identity services environments.

What benefits does ArisID deliver to people?

Persona information about citizens, customers and end-users is collected by a wide-variety of businesses and service providers with certain agreements and provisions concerning use. Use of IGF by businesses and service providers would help them demonstrate that identity data is being managed and used in compliance with the agreements and provisions under which the data was acquired. While IGF is not about secrecy or anonymity, it is about ensuring that privacy constraints associated with personal information can be maintained across the many components and businesses that may be working on behalf of users.

What can developers do with ArisID today?

Developers and architects can begin evaluating and using the fully functional ArisID API as part of their application development projects. In conjunction with today’s OpenLiberty.org news, Oracle is releasing the Oracle OVD Provider, a preview of an ArisID information provider that supports flexible access to a range of identity sources and is one of the first examples demonstrating the benefits of the ArisID API. The preview includes several sample code modules to allow developers to learn about the API features and understand the ArisID API architecture.

What’s next for ArisID and the Aristotle Project?

Going forward, we are working to expand the ArisID community by recruiting developers to provide feedback and to help further develop the ArisID API. Members of the Aristotle Project are also working with the open source community, the global identity industry and identity vendors to develop additional ArisID information providers in order to ensure a diverse eco-system of ArisID implementations to give enterprises maximum choice and flexibility to deploy identity-services applications.

Where can we get more information?

We’ll keep developers, vendors and the global identity community updated about ArisID developments. All individuals and organizations interested in collaborating on the further development of ArisID information providers and declarative open source identity systems are encouraged to join the Project Aristotle community at OpenLiberty.org. More information is available at the ArisID wiki at ProjectAris

Project Index

Project Aristotle

Downloads

ArisID

ArisID Providers


Related External Information

Other

OpenAz