Higgins: an API for identity
A long tail
Identity is an essential enabler for eCommerce; unfortunately, it's currently a bit of a mess. However, there is hope...
Like Microsoft’s InfoCard and Kim Cameron’s vision of an identity metasystem, the open source Higgins identity project aims to move us away from the current hotchpotch of identity systems. InfoCard concentrates on a consistent user experience; Higgins aims to simplify things for developers.
Today developers have to learn each individual identity system; and what you have to learn to work with user names and passwords or PKI certificates doesn’t help much if you want to use Shibboleth, YADIS or OpenID. Then, Google and Yahoo both have their own authentication APIs to learn. The OpenPGP API is freely available but you’ll need to buy a toolkit from RSA if you want to develop an RSA PKI. And if you want to support both IRC and Jabber in your system, you have to manage two identification systems. There are also multiple standards for working with identity: LDAP, WS-Trust, Liberty Alliance, SAML and more, and the code you develop for one system won’t work with another.
Higgins is a project to create an Eclipse framework to abstract both identity data and also interactions with identity services, so that you can build your own identity management infrastructure. It was originally called the Eclipse Trust Framework and then renamed after a long-tailed mouse in a reference to the long tail of the many identity systems they hope to support. And that means you’ll be able connect to multiple identity systems without having to learn and write code for all of them. This is a substantial undertaking: Higgins will have to deal with a wide range of identity providers as well as with the client software like the browsers and IM (Instant Messaging) tools where people use their identities. To access an identity system in your application, you’ll need a plug-in that uses each identity system’s native protocols or APIs to map the information from that specific identity system to the abstractions of the Higgins framework; one for LDAP, one for SAML, one for InfoCard, one for OpenID and so on.
As an open source project, anyone can contribute an adaptor, for an existing identity system or a new one: IBM can contribute an adaptor for Tivoli and also support Higgins to allow Tivoli to work with other identity systems in turn. Paul Trevithick – who is both a member of The SocialPhysics Project that Higgins is part of and part of Parity Communications, which contributed much of the initial Higgins code - expects to see a WS* service for Higgins soon, so you can use Higgins on a Mac or Linux system to interoperate with InfoCard. He explains that “the problem is deep and no one vendor or technology can solve it alone; in order for this to work it has to run on all platforms.”
The list of planned plug-ins also includes Active Directory, XMP (the Extensible Messaging and Presence Protocol), Extensible Resource Identifiers, Firefox, Internet Explorer, Lotus Notes, Exchange, Groove, Outlook and Workplace. None of these will be finished until the project reaches 1.0 status in 2007.
To a user, Higgins will group identities into a profile where they can view and change information in one place, rather than updating multiple systems. For developers, identities are in contexts; an LDAP context would include the users in your company directory, along with metadata describing relationships between them. For each context the plug-in provides services that allow the framework to communicate with that identity system, so for LDAP you’ll have services both for the LDAP server and for LDAP client applications.
Information from each context will be passed back to Higgins’ base context (known as IContext), which means Higgins applications can associate information from different contexts. Applications can also navigate through the identities in a context, as long as the authorisation policy for that context allows it.
Higgins will also include an identity selector interface that you’ll use in your applications, so users always see the same interface when they’re choosing whichever digital identity they want to use and whatever information they’re happy to reveal.
The reference implementation of the Higgins framework will be in Java, making it portable between operating systems and architectures; and will use the authorisation that’s the basis of the Java security sandbox.
Trevithick wants to put identity back in the hands of the individuals being identified; he believes the new identity infrastructure “needs to work more on behalf of the user than anything else”. One key way Higgins will do that is by making the developer’s life easier when s/he works with identity, so s/he can spend his/her time making design decisions rather than researching the intricacies of different identity systems.®
Sponsored: Network DDoS protection