Introducing JSR 351 - The Java Identity API

The Java JCP has approved a new JSR relating to the use of Identity information within Java. The JSR351 charter is:

To define application programming interfaces and identity interaction models that facilitate and control the use of identity by applications and in access control decisions.

Ron Monzillo gave a talk (presentation available here) at JavaOne on JSR 351, I'll paraphrase his presentation with some of the highlights here:

Privacy Day» Developer Tools» IGF

It's privacy day, and it seems like a good time to re-introduce folks on the long-running Identity Governance Framework project.

For a few years now, Oracle has been working hard on laying some privacy groundwork for developers. This project initially started with the development of a standard specification called the Identity Governance Framework. The objective of IGF was simple: define some declarations that define:

• What personal information applications are using
• What operations are performed against that data
• What are the constraints on its use?

Additionally we fed important data into the XACML standards process to ensure that XACML access control systems could be used to fine-grained access control to data and resources (especially personal attributes).

Oracle also initiated two open source projects called ArisID and OpenAz to implement these standards. Check them out. It seems simple, and it is. But what these tools do is enable a powerful attribute service platform that stands to improve the privacy capabilities that developers can include in new applications.

Oracle has begun to incorporate this technology into its Fusion products (see Oracle Reference Security Architecture here)bringing further validation to the technology. The good news? It is available to any developer to use under Apache 2.0 License. Check these projects out.

I'll also point you over to Ian Glazer's recent article in his continuing series on privacy called "I 'like' you, but I hate your apps".

WHAT ISN’T OUT THERE

Unfortunately, your needs and the needs of the app developers aren’t addressed by both UMA and personal data stores. In order to meet these needs, device and platform makers must build “concern for the other” into their products. This is a big “D” design problem that requires not just user-experience intelligence but also classically trained design expertise. Baking “concern for the other” into products can be used to gain a competitive advantage in a market. By acknowledging that referencing information and pulling it from the source when needed, is superior to copying it, app developers have an opportunity to both mitigate their risks as well as provide better controls.

Ian makes an important point here about "concern for the other". Whenever personal information needs to be shared or used, it is important that underlying data systems know the what, where, when, and why it will be used. ArisID and OpenAz help to do just that.

Work on IGF is still ongoing. At present we are looking at improved Java language support for developers including annotations, security integration, etc. Stay tuned for more info!

Not just write once, run anywhere, but delpoy and deliver anywhere too!

"Not just write once, run anywhere, but delpoy and deliver anywhere too."

That statement is a quote from Nandini Ramani, Director of Java Development at Oracle (formerly Sun), recently talking about the need for JavaFX in this video. Instead of dealing with the many types of display devices, mobile phones, etc, JavaFX provides a platform for abstracting away the complexities of the myriad of displays and desktops.

I can't help but think how the same problem occurs for application developers writing applications that consume and use personal information. Just as applications have to deal with differing displays, keyboards and keys, identity applications have to deal with different methods of transfer and differing ceremonies (e.g. with user-centric protocols) with each exchange of information, and even differing modalities (as I described last year).

Developers that want applications to deploy and deliver anywhere, have to consider how to support the huge variety of data stores, network configurations, and protocols (LDAP, federated, user-centric), and as well as information governance and assurance issues.

Just as abstracting implementations into layers helps JavaFX, layered abstraction is a key cornerstone to how we are developing the ArisID API going forwards.

First Open Source Reference Implementation of IGF 1.0

Over the past few months, a good deal of progress has been made around IGF and the open source implementation around it. In particular, last fall, Liberty Alliance ratified the IGF 1.0 specification as final. In mid January we published ArisID 1.1, the first open source implementation of IGF 1.0. Finally in late January, we checked in the first implementation of an open source provider based on OpenDS 2.2 (more on that below).

ArisID is an API for accessing and managing personal or identity related information using CARML as an XML data model. In addition to being useful from a privacy perspective, CARML enables important new developer features:

• The ability to automatically generate a data model in the form of Java beans.
• The ability to use sophisticated data providers that can connect applications to personal information sources using multiple protocols and virtualization.

If the principles of using an XML data model sounds familiar, it should. ArisID follows very similar architecture to Java Persistence Architecture. The key difference is that use of the CARML data model does not assume the pre-existance of a particular database or LDAP schema. Instead, a developer is able to create an application specific data model and write code as if the data model were a straight forward database. Then, at runtime, the provider layers of the API can be configured to connect to many different types of data repositories and network configurations including multiple directories or databases. With little effort, developers are able to create sophisticated applications that have much greater deployment flexibility in the types of data sources and repositories they can support, including remote and third-party sources.

Starting with the Oracle Fusion Middleware 11gR1(PS2) release, Oracle began to integrating this technology into its own products, setting the stage for a new level of support for open protocols and scalable enterprise deployment scenarios. For more information on how Oracle is using IGF and ArisID in 11gR1, check out the whitepaper, "Oracle Identity Management 11gR1".

As mentioned earlier, ArisID depends on "provider" modules to do the work of implementing data model requirements as expressed in application specific CARML declarations. At present there are now 2 implementations available:

• The Oracle OVD Provider for ArisID "Preview" is the first provider to support the ArisID 1.0 API. A developer preview is available here. Expect an update in the next quarter regarding ArisID 1.1.
  
• A brand new OpenDS 2.2 provider for ArisID is now available in the openLiberty sourceforge project repository. The new OpenDS provider allows developers to use OpenDS instead of OVD as a repository for applications using ArisID 1.1. The OpenDS Provider for ArisiD the first fully open source ArisID Provider implementation. For more information consult the readme file contained in the OpenDS Provider for ArisID distribution zip.

Project Aristotle is now moving forward with efforts to support integration into popular IDEs. As always, new contributors are always welcome, please see the OpenLiberty.org web site for more information. Also, feel free to subscribe to the igf-dev mailing list.

Finally, thanks to the OpenDS team (Ludovic, Bo, Matthew) for their assistance in helping to get the first open source implementation of a provider for ArisID done. In some respects, the Oracle/Sun merger delayed a lot of this work, but now that it is done, we can get back to work and contribute more to our respective projects. As Nishant Kaushik says, Sun + Oracle = Exciting Days Ahead! By the way, click here for webcasts about Fusion Middleware and in particular Identity Management.

The Twitter Attack And Improving Application IDM

TechCrunch posted an article: "The Anatomy of the Twitter Attack" that details how an attacker leveraged use of search, social, and public email services to hack the Twitter corporate services.

...modern web applications have built out their own systems and policies that require a user to register and then manage their identities separately with each app. The identifier that most applications use is an email address, and it is this common factor that creates a de facto trust relationship between a user’s applications. The second factor is a password: a random string that only the user knows, is unique to each application, and in theory should take even a computer months or years to figure out if it started guessing. These two elements would work well enough for most cases, were it not for what is often the single weakest factor: human habit.

If you were looking for an example of why web applications should move towards supporting federated identity and identity management services rather than rolling their own identity management systems, well, this is the poster-child case.

Look at the front page of almost any web application and you will see hints at just how hopeless and helpless we are in managing our digital lives: “forgot my password”, “forgot my username”, “keep me logged in”, “do not keep me logged in”, “forgot my name”, “who am i?”. Features that were designed and built as a compromise since we are often unable to remember and recall a single four-digit PIN number, let alone a unique password for every application we ever sign up for. Each new service that a user signs up for creates a management overhead that collapses quickly into a common dirty habit of using simple passwords, everywhere. At that point, the security of that user’s entire online identity is only as strong as the weakest application they use - which often is to say, very weak.

The article is quite long, but is very worth while reading. It shows how one weak application can be used to weaken the security of another (directly and indirectly). In this case, password recovery at an unrelated email service was the vector that unlocked valuable information at Twitter according to TechCrunch. To be fair to the web sites mentioned in the article, this identity management (IDM) stuff is hard. Many have done a pleasing job that works well on their own for their user constituencies. But this article shows how hackers can use social attacks to leverage multiple sites together to gain an advantage.

As you may know Oracle's approach to IDM is to be application-centric, to focus in on the issues relevant to making secure applications. Products like Oracle Adaptive Access Manager, OAM, Oracle Identity Manager, (not the mention the entire suite) really go a long way to provide the tools needed for secure IDM infrastructure.

But Oracle, and the members of Liberty Alliance, and now Kantara are going much further to figure out a way to recruit more application developers to leverage identity services through a common set of secure middleware components and technologies that lowers development costs, improves privacy, and ultimately the security of applications and their users. To broaden this industry effort, Oracle and many others initiated a standardization effort called the Identity Governance Framework with Liberty Alliance. Together we also initiated development of a free and open-source API called "Project Aristotle" under openLiberty.org. This work is still in development, new participation and input are greatly welcomed!

Aristotle Project Wins Award

I am happy to announce that Project Aristotle won an award for "Best new or improved standard" at the European Identity Conference. The win is shared with the Open Authentication (OAuth) and the Information Card Foundation (ICF).

The European Identity Award for the category “Best new or improved standard” went to the Aristotle Project for ArisID, an important enhancement of IGF (Identity Governance Frameworks) and CARML, which enhances user-friendliness of these important standards for IAM and GRC. This particular innovation had been promoted and supported by Oracle. The standardization initiative OAuth (Open Authentication) receives an award for their streamlined approach for authentication standardization, which finds a lot of market interest. The last award in this category goes to the Information Card Foundation (ICF) for standardizing the important approach of Information Cards for future identity management.

Congrats to the contributors of openLiberty, the members of Liberty Alliance TEG, as well as my colleagues at Oracle, who all contributed to the effort. Congratulations to OAuth and ICF as the co-winners!

A special thanks to Kuppinger Cole for organizing the event and for taking the time to recognize the efforts of all the award winners and of standards development in general.

Building Internet Identity (WWDS Pt 2)

Last week, I responded to Dave Kearn's article "How a universal directory might work". I commented that there does not need to be some centralized service managed by one or a few vendors to unify directories or virtual directories. Rather, the solution needs to be akin to the kind of thing that created the Internet itself, TCP/IP's stack architecture.

Project Aristotle is the beginning of one such "stack" for identity services. Project Aristotle uses CARML (Client Attribute Requirements Markup Language) to act as an application's identity object model for identity services. When an application has declared an identity data model, it becomes possible to have a technology "stack" that can service an application's requirements in a protocol neutral way -- much the same way that TCP/IP could interconnect networks across many different types of media. Because the services layers below the application can understand the application's requirements (from the CARML data object model), they can begin to automate the complex processing it takes to map, route, and adapt to the necessary wire protocols. Further, this stack can also service other components of an application server, namely authentication and authorization services - bringing disperate components together to use a common identity service.

Aside: The idea of using an identity object information model for application development may seem radical and new. But actually, this has been done before in the database world. TopLink is an object-relational mapping package that was developed for SmallTalk and later Java. Learning from TopLink, means we can move ahead with a proven programming concept combined with proven technology such as virtual directories that can act as just one possible implementation of many in an open identity market.

For Oracle, Project Aristotle will make it much easier to develop applications that can use almost any type of identity service at a much lower cost, and with a lot more flexibility and reliability. More importantly it gives the businesses that deploy these applications, the ability to decide what protocols, policies, and technology systems are most appropriate for their enterprise environment without requiring customization of the application. Application developers are freed from having to become expert in many different types of identity services infrastructures and protocols. After-all developers shouldn't need to have a deep knowledge of identity protocols - they should be able to just use a well tested, easy-to-use stack-based approach that allows any vendor or open source technology to be used.

Project Aristotle is being developed at OpenLiberty. While OpenLiberty is receiving major contributions from Oracle, Project Aristotle is being developed in an open community of participants. Accordingly Project Aristotle (ArisID) welcomes and encourages contributions to this project! All that is required is the signing of the Apache CLA agreement. Oh, and by the way, if anyone wants to work on other programming language bindings for Project Aristotle, we're looking for that too!

Isn't it interesting that all this started from a desire to improve the transparency about how applications use identity-related information and to create Identity Governance within applications. The side-effect of governance, has been a new approach for dramatically improved identity services in the future!

Dave Kearns Suggests "World Wide Directory Service"

In his most recent column, Dave Kearns comments on IGF and how it could be used with virtual directories to form a world wide directory service.

This is a very interesting thought, but Mark Wilcox and I agree, a universal directory service operated or controlled by a single vendor isn't the right way to solve federated provisioning. For one thing, LDAP isn't the only requirement. Today's techniques for exchanging identity information involve many methods, and many modes (browser-based and backend-based). Any solution has to handle multiple identity protocols and should have no central point of control or storage. The implementation should not be owned by one vendor, it should be open, available for anyone to adopt and use. Rather than anything that approaches vendor lock-in, the solution has to be adjustable - preferably on-the-fly. The solution should be configurable and policy driven so that multiple technologies and providers can be used.

The need to link separate identity repositories around the world reminds me of the early days of enterprise networks. We used to talk about Ethernet networks, Token Ring, or even AppleTalk networks. These were standalone networks that tended to be isolated and self-sufficient with no concept of outside connectivity. Connections between networks were rare and expensive to implement. In part because the media (type of wire) for the network meant new protocols to handle communication. The TCP/IP "stack" came along and abstracted issues of network media and inter-network routing into layers. Everything changed. The Internet itself was born.

Applications today are at a similar crossroads. If they use identity services, the services are isolated to a single enterprise directory service. The problem? We as humans cross organization boundaries all the time. Applications are unable to expoit the power of the "Internet" when it comes to identity services. In the same way as TCP/IP solved media and inter-network challenges, applications need some way to handle the different protocols used in different enterprise networks. Most importantly, if we start networking identity information, applications and the enterprises that use them need a way to be able to respect privacy and ensure that the information being transferred is appropriate and secure.

What is needed is a multi-protocol identity networking "stack" that developers and service providers can use to interconnect systems. Instead of solving media and networking issues, this stack needs to solve identity mapping, routing, and protocol conversion. While IGF was originally specified for Identity Goverance, it turns out Dave Kearns is right, the IGF specifications may be an important part of the solution. More on that next time...

Defining Identity Modality

During my last webcast about Project Aristotle at OpenLiberty Project, I introduced a new concept called Identity Modality. The idea occurred to me as I was trying to describe the different types of identity exchange protocols and methodologies and how they impact developers.

I noticed there are several different ways and modes in which information is exchanged. There are times when the user is present (online) or is absent (offline), there are times when the transfer occurs through a backend system (such as with a database), and times when it occurs directly via the user. Finally, there are simple transactions (atomic) and then there are multi-step or workflow like transactions.

If you take these 3 different dimensions and place them on a 3-dimensional axis and plot popular means of exchanging identity information (based on typical usage), there are some interesting observations that can be made.


What struck me is how the notion of a front-end or browser-based protocols create a 3rd dimension of information exchange. The diagram also shows why SQL based systems are so ubiquitous - because it fully encompasses user-online/offline, atomic vs. workflow based transactions. Likewise LDAP, covers a smaller area, because it was intended as a lightweight, atomic (single-operation at a time) protocol. Where SQL fully exists in 2-dimensions, LDAP exists only in the atomic space handling both user online and offline scenarios.

Considering the challenges of developers writing applications and the objectives of Project Aristotle, the chart suggests why applications dealing with multiple modes of identity communication face a huge challenge. It becomes one the reasons why most applications end up with their own identity "silos" -- it's much easier to ignore systems outside the application.

One of the objectives behind the architecture of ArisID is to be able to handle all of these modalities through a single API. A loosely-coupled architecture means Identity modality does not have to be restricted to a specific hard-coded set of choices, but rather be configuration-based leveraging policy and environmental requirements.

ArisID & OVD Tutorial Available

A tutorial explaining how to use Oracle Virtual Directory as a "provider" for the ArisID open source API is now available on Oracle Technology Network.

As mentioned on the recent webcast, this is the first provider made available for ArisID.

If anyone else would like to help with Project Aristotle, or begin writing a provider of their own, drop us a line, we'd love to help get more implementations going!

Felix Gaehtgens on ArisID

Felix Gaehtgens of Kuppinger Cole comments on the birth of ArisID...

For one, Identity Governance is definitely a problem, but not one that is seen to be very urgent - there are typically many other open problems that have the focus and attention of IT professionals. This may be short-sighted however, because regulation is certain to become tighter and relate more directly how identity information is being treated and handled. The advantage of embracing ArisID is that its benefits in terms of Identity Governance come "for free" with the additional advantages that the framework brings.

ArisID Webcast Presentation and Demo Video

Thanks to all who attended the webcast on ArisID this morning! It’s always great to talk about this stuff and share ideas!

A copy of the presentation can be obtained here.

Also, as promised, here is a video of the Sonic Records ArisID demonstration. You can view it online here. Or, you can download the full-size video here (24MB).

Phil

Webcast on ArisID - Dec 11, at 8AM PDT

From Liberty Alliance:

ArisID, the first open source software implementing Liberty Identity Governance Framework (IGF) components, provides enterprise developers and system architects with a library for building enterprise-grade identity-enabled applications using multiple identity protocols, and lays the groundwork for allowing enterprises to manage and audit the identity requirements of business applications based on declarative IGF policy specifications. This webcast will provide participants with an overview of the ArisID API, discuss benefits for developers and enterprises, and review the project roadmap. Developers will understand how to begin using ArisID to build IGF-based applications and the identity community and vendors will gain insight into how the open source ArisID API and information providers help fulfill multi-protocol identity management requirements.

Registration

For those of you who have been following my blog, you'll know I've been talking for sometime about IGF and the need for a declarative identity API in order to making identity services more relevant to developers. Here's your chance to see more about what I've been talking about all this time.

For more information, check out Paul and Robin's blog posts, scooping me on my own presentation! :-)

Project Aristotle

Good news!

For some time now, there has been a lot of work going on at OpenLiberty to design a new "declarative" API that enables application developers to write applications that consume, and manage identity information in a way that allows infrastructure components take care of all the nasty problems like
* Which protocol to use
* What data providers are appropriate for the current transaction
* How do I write robust code given that I don't know the protocols or APIs very well?

Well, the answer is here. Release 1.0 of ArisId is now available at OpenLiberty.

The ArisID API implements the CARML (Client Attribute Requirements Markup Language) and Privacy Constraints IGF specifications Liberty Alliance released earlier this year. ArisID demonstrates how CARML and Privacy Constraints policies may be used by developers to create declarative identity applications. The open source ArisID declarative approach defines what identity-enabled transactions can be performed to ensure applications only use identity information required to complete a transaction. This allows developers to build secure identity-enabled enterprise applications that are easily auditable and protect the personally identifiable information (PII), such as a social security number or credit information, of people engaging in enterprise identity-enabled transactions.

Be sure to read the full press release here.

I would like to thank my Oracle colleagues who have contributed to the project, as well as the members of OpenLiberty for hosting this project. There is much more to come, stay tuned!

Further reading:
* Open Liberty Project Aris Site
* Liberty Alliance Press Release
* Frequently Asked Questions
* Oracle Provider for ArisID
* IGF Standards and CARML Specifications