ArisIdFAQ

From OpenLiberty.org Wiki

Jump to: navigation, search

OpenLiberty.org

Contents

Project Aristotle FAQ

Related Information

Project Aristotle

ArisID Providers

Related External Information

What is the Aristotle Project?

The Aristotle Project, an open source community working within OpenLiberty.org is focused on developing a single open source API for existing identity technologies such as LDAP, as well as for federation protocols such as SAML, Liberty Identity Web Services (ID-WSF), OpenID and WS-Trust. The goal of the Aristotle Project is to create an open source programming interface that can communicate with identity services libraries called “ArisID Providers.” To build these providers, the Aristotle Project community is beginning work with technology vendors and other open source communities to adapt existing technology libraries for use as providers under the ArisID API.

Who is participating in the Aristotle Project? Who can join?

Members of the Aristotle Project currently include representatives from Liberty Alliance, but the group is open to all developers, individuals and organizations interested in furthering the advancement of declarative identity systems. Membership in Liberty Alliance is not a requirement for participation in the Aristotle Project or OpenLiberty.org.

What is the Identity Governance Framework?

The Liberty Identity Governance Framework (IGF) is the industry’s first programmatic and auditable open standards-based initiative designed to help organizations better govern and protect identity-related employee, customer and partner information as it flows across heterogeneous applications and networks. The IGF is about the secure and appropriate exchange of identity-related information between users, applications and service providers, both within an organization and across external systems. The ArisID API implements the IGF CARML (Client Attribute Requirements Markup Language) and Privacy Constraints specifications Liberty Alliance released earlier this year.

Why is the ArisID API needed?

Business applications depend upon identity data in essential ways, yet, developers and architects lack tools to describe and access identity data needed by applications. As a consequence, existing applications must code to specific identity protocols or, even worse, assume that a copy of required identity data is available from the application database. Deploying such inflexible applications is costly, and, copying sensitive identity data increases the risk of loss or misuse.

ArisID de-couples developers from having to make protocol, schema, and architecture decisions that would limit the usability and deployability of their application in an evolving and ever complex enterprise network, where a large number of identity sources and protocols are used. By relying on intelligent ArisID libraries, developers can now ensure maximum flexibility and use of their applications while significantly reducing development time.

What is a declarative identity system?

A declarative identity system is where client applications (or relying parties) declare in advance what identity data an application uses and what transactions it will perform with that data. This serves three important purposes.

  1. The declaration can be used as important information in a “Privacy Impact Assessment” ensuring that an application conforms to an enterprise’s corporate policies.
  2. The declaration can be used by identity services libraries and infrastructure components to map and interconnect client applications to appropriate authoritative identity sources.
  3. These declarations can provide additional metadata to attribute authorities (e.g., Identity Providers) to help decide whether specific transactions meet specific policy and privacy requirements.

What is CARML?

The CARML specification is an XML document that developers use to describe the identity data and transactions used by a service or application. The data types may include identity attributes, predicates (e.g. “Is an Adult”), and roles (e.g. “Manager,” “Business Class Flier”) that an application requires. The data definitions may be based on industry standards, but it can also be specific to an application. At deployment time, these data definitions can be used by infrastructure managers to define how specific attributes, predicates, or roles are mapped to existing or new enterprise identity system schema and sources. The second part of the CARML declaration are the transactions that will be performed using the schema defined by the applications. This allows identity service middleware components to be configured to meet application needs

Why is multi-protocol so important?

There are many different identity systems in existence today. Some are based on SQL Databases, many are based on LDAP Directories. Still newer systems are evolving based on SAML, WS-Trust, Liberty Identity Web Services (ID-WSF), and OpenID. In order to meet the needs of the widest set of applications, it is clear that an API must be able to support access to identity information regardless of how it is stored or what protocol is used to access it. The multi-protocol approach forms the bases of the ArisID API.

What is “enterprise-grade” open source?

Enterprise-grade means taking the secure computing and development practices found in enterprise systems development, and applying it to an open source project. Developers of enterprise applications, whether commercial or open source, expect to be able to depend this open source project as if it were any other commercial enterprise software product. The Project Aristotle community is working to deliver enterprise-grade open source software.

What benefits does the ArisID API declarative approach provide to developers?

The declarative approach greatly simplifies the actual API used by developers to access and manipulate identity information. Because an XML declaration is created in advance, many of the parameters required in popular APIs like JNDI, or even JDBC, are eliminated. The API is able to react more intelligently because it has the full context of what the developer wants to happen in advance.

ArisID Beans are a good example. The ArisID Beans module of the ArisID API takes the CARML declaration and generates java beans. Each ArisID bean represents a specific instance of a subject identity with schema and methods corresponding to the declaration in the CARML declaration. For each bean type generated, a manager class, manages the life-cycle of entity beans. This gives the application its own notion of entity lifecycle management while at the same time, being able to intelligently interact with external enterprise identity services.

What benefits does ArisID deliver to governments and organizations?

The misuse of identity data is a serious risk and source of liability for governments and organizations. IGF allows governments and organizations to audit and document how identity data is being used by services and applications and also the constraints governing its use. ArisID delivers a valid implementation of IGF specifications. This means that governments and organizations can now begin to demand IGF compliance for all applications that consume and use identity information. Enterprises using applications using the ArisID API enjoy the benefit of having an application compliant with the IGF specifications, enabling much greater ease to perform privacy impact assessments, as well as simplified deployment and integration with existing enterprise identity services environments.

What benefits does ArisID deliver to people?

Identity data about citizens, customers and end-users is collected by a wide-variety of businesses and service providers with certain agreements and provisions concerning use. Use of IGF by businesses and service providers would help them demonstrate that identity data is being managed and used in compliance with the agreements and provisions under which the data was acquired. ArisID helps delivers a new class of applications that are IGF compliant

What can developers do with ArisID today?

Developers and architects can begin evaluating and using the fully functional ArisID API as part of their application development projects. In conjunction with today’s OpenLiberty.org news, Oracle is releasing the Oracle OVD Provider, a preview of an ArisID information provider that supports flexible access to a range of identity sources and is one of the first examples demonstrating the benefits of the ArisID API. The preview includes several sample code modules to allow developers to learn about the API features and understand the ArisID API architecture.

What’s next for ArisID and the Aristotle Project?

Going forward, we are working to expand the ArisID community by recruiting developers to provide feedback and to help further develop the ArisID API. Members of the Aristotle Project are also working with the open source community, the global identity industry and identity vendors to develop additional ArisID information providers in order to ensure a diverse eco-system of ArisID implementations to give enterprises maximum choice and flexibility to deploy identity-services applications.

Where can we get more information?

We’ll keep developers, vendors and the global identity community updated about ArisID developments. All individuals and organizations interested in collaborating on the further development of ArisID information providers and declarative open source identity systems are encouraged to join the Project Aristotle community at OpenLiberty.org. More information is available at the ArisID wiki at ProjectAris

Retrieved from "http://www.openliberty.org/wiki/index.php/ArisIdFAQ"
Personal tools