From OpenLiberty.org Wiki

Contents 1 Identity Governance Framework Open Source Project 1.1 Overview 1.1.1 Introduction To IGF 1.1.2 The IGF Open Source Project 1.1.3 Project Objectives 1.1.4 Next Steps 1.2 Further Reading 1.2.1 PRESENTATIONS 1.2.2 ESSENTIAL 1.2.3 RELEVANT 1.2.4 OF INTEREST 1.3 Important Links 1.3.1 Related Open Source Projects 1.4 Events 1.5 Get Involved

Identity Governance Framework Open Source Project

Overview

Introduction To IGF

The Identity Governance Framework is about the secure and appropriate exchange of identity-related information between users and applications and service providers (both internal and external) is the basis of providing deeper and richer functionality for services oriented architecture.

Sensitive identity-related data such as addresses, social security numbers, bank account numbers and employment details are increasingly the target of legal, regulatory and enterprise policy. These include,but are not limited to: the European Data Protection Initiative, Sarbanes-Oxley, and Gramm-Leach-Bliley as examples.

The Id Governance initiative assists entities managing identity data with increased transparency and demonstrable compliance with respect to policies for identity-related data. It would allow corporations to answer questions such as: Under what conditions may user social security numbers be accessed by applications? Which applications had access to customer account numbers on January 27, 2007?

The IGF Open Source Project

The objective of this open source project is to provide a set of libraries and technologies that can be used by developers and the identity management vendor community to build products, tools, and applications that consume, provide, and manage identity-related information in an open way based on standard protocols that implement the Liberty Alliance Identity Governance proposed requirements and pre-draft recommendations(at present).

This project is sponsored by OpenLiberty and its members with the objective that all components developed under openLiberty may eventually be contributed to the Apache Software Foundation under Apache 2.0 License.

It is important to note that this project will run in parallel with Liberty Alliance’s Expert Group process which will complete and ratify the proposed standards. While this project will be a strong influencer of the standards process it does not have the ability to set the standards. Because of this, nothing in the initial implementation is guaranteed and is subject to change as the standards process progresses.

Project Objectives

Developers today are faced with an ever broadening set of protocols & APIs for accessing and consuming identity-related data. These include classic “back-end” APIs like JNDI (e.g. for LDAP) and JDBC (e.g. SQL) and new “front-end” or user-agent protocols like WS-*, ID-WSF, and OpenID. Developers can also develop web forms or depend on a policy server or other mechanisms to populate HTTP headers for information. While this has been great from an innovation perspective, it has further complicates the use of identity information from a developer’s perspective.

Developers are currently forced to select specific protocols and architectures in order to keep development costs at a reasonable level. Faced with this problem, applications developers most often choose to create identity silos in order to ensure widest deployment acceptance of their applications. As an open source project, a major objective of this project is to create an abstraction API that will shield developer from protocol and vendor dependencies and thus increase adoption of Identity Services as a whole. This will improve the security of applications, help protect our collective privacy, and hopefully expand the identity services marketplace.

The IGF project’s key objective is to demonstrate IGF implementation over a wide set of protocols. To do this, this project plans to:

• To solve the developer binding dilemma through the development of an identity services abstraction API enabled by the Client Attributes Requirements Markup Language (CARML) declaration specification.
• To develop a general purpose identity services stack that provides multi-protocol provider support using CARML.
• To develop a multi-protocol set of Identity Provider services that supports AAPML policy.
• To develop IDE tools (e.g. such as set of Eclipse plug-ins) that allow the developer to easily leverage the Identity Services abstraction API and to simulate a identity providers and repositories in order to fully debug application code.

Other objectives:

• To develop common audit services that show how IGF supports GRC requirements and activities.

Platform Support

The project will initially develop Java components for Java developers and Java application servers that prototype the implemented requirements. Development will be done in Eclipse and based on Java 5.

Over time, the creators would like to see migration to other languages (C, Perl, PHP, etc) and platforms including like .Net as well as other popular IDE’s like Sun’s NetBeans, Oracle JDeveloper and Microsoft Visual Studio.

Next Steps

At this time, the project is in its inaugural phase. We expect the following steps to take place next:

• Finalize design specs, design cases, and features
• Finalize high-level architecture
• Identify key contributing libraries and related projects
• Build project plan and milestones.

Further Reading

PRESENTATIONS

1. Presentation on IGF Attribute Services January 2008.

ESSENTIAL

1. Id Governance - Identity Privacy and Access Policy MRD

COMMENT: The key material is in section 1.4 and 1.5. The rest of the document works thru this material in much more detail with concrete scenarios.

2. Overview of the Id Governance Framework

COMMENT: This is an informal summary of the MRD (aka "MRD-lite"). It is made up of exactly Sections 1.4 and 1.5 from the MRD with additional explanatory material.

RELEVANT

1. ORCL proposal for CARML specification

COMMENT: Provides a concrete example of a "Client Attribute Requirements Markup Language".

2. ORCL proposal for AAPML specification

COMMENT: Provides a concrete example of a "Attribute Authority Policy Markup Language"

3. W3C P3P 1.0 Specification

COMMENT: The focus of this work is on the relationship between browser-equipped end users and web sites. This is quite distinct from the IGF focus area. However, Section 3, Policy Syntax and Semantics has relevance to IGF and should probably be referenced going forward.

OF INTEREST

1. P3P Policy Attributes for LDAP, Mark Wahl

SUMMARY: This document defines attributes for use in the Lightweight Directory Access Protocol (LDAP) which contain URIs for privacy policy documents. These documents describe the privacy policy concerning access to a directory server, and the privacy policies that apply to the contents of the directory (a subtree of entries).

2. Information Accountability, Daniel J. Weitzner, Harold Abelson, Tim Berners-Lee, Joan Feigenbaum, James Hendler, and Gerald Jay Sussman, MIT-CSAIL-TR-2007-034

SUMMARY: Argues that privacy is closely linked to accountability, and that establishing accountability mechanisms for entities that handle personal data provides an appropriate privacy model for the web.

3. (WS-XACML) Version 1.0 Working Draft 10, 10 August 2007

SUMMARY: Proposes the use of WS-Policy and P3P privacy statements to model privacy constraints for web services.

4. Higgins Identity Attribute Service

SUMMARY: The *Identity Attribute Service* (IdAS) component provides a virtualized, unified view and a common means of access to identity information from multiple heterogeneous data sources

Important Links

IGF Project

• IGF Architecture
• Developer Attribute Services API
• Mailing List
• SourceForge Code Repository
• IGF Project Tracker (Planning & Bugs)

External

• Liberty Alliance Project - IGF Strategic Initiative site
• Oracle Technology Network - IGF site
• Blogs -
  • openLiberty Blog
  • Identity Privacy Blog

Related Open Source Projects

• Apache Software Foundation – the IGF Project will favor components and libraries available under the Apache 2.0 license. This is to enable maximum use by the developer community without providing restrictions on use or forking. Any use of identity services is to be encouraged!

• Higgins & Bandit Projects – the IGF Project proposes to share much of the architecture established by the Higgins and Bandit Projects and will use the Higgins Identity Attribute Services code for the initial Java implementation. Because Higgins IdAS is available only under EPL this may require separate downloads of both Higgins project code and IGF Project code due to the dual-license status for this first implementation. It is our hope to simplify this arrangement as the project progresses.

Events

All events and calls are also available on the IGF Online Calendar.

• October 23, 2007 - RSA Europe 2007 - SOL-108 - The Identity Governance Framework: Liberty Alliance's Privacy Initiative presented by John Aisien of Oracle

Note: the October 25th IGF Project call is cancelled due to the Liberty Plenary Meeting October 22-26 in Tokyo.

Get Involved

We are holding weekly conference calls on the 2nd and 4th Thursday of each month at 8AM Pacific time.

Call information available here.

Join the mailing lists.

To contribute code, you will need to agree to the Apache 2.0 CLA and you will need a SourceForge Id. After creating your sourceforge id, please provide your background and sourceforge id via email to igfman at users.sourceforge.net to join the IGF SourceForge project.