idpopenid.html 9.13 KB
Newer Older
Clément OUDOT's avatar
Clément OUDOT committed
1 2 3 4 5 6
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:2.0:idpopenid</title>
<meta name="generator" content="DokuWiki"/>
Clément OUDOT's avatar
Clément OUDOT committed
7
<meta name="robots" content="index,follow"/>
Clément OUDOT's avatar
Clément OUDOT committed
8 9 10 11 12
<meta name="keywords" content="documentation,2.0,idpopenid"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpopenid.html"/>
<link rel="contents" href="idpopenid.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
Xavier Guimard's avatar
Xavier Guimard committed
13 14 15 16 17 18 19 20 21
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
22 23 24
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:idpopenid","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
25 26 27 28 29 30 31 32 33 34 35 36 37 38
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
Xavier Guimard's avatar
Xavier Guimard committed
39
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
40
//else -->
Xavier Guimard's avatar
Xavier Guimard committed
41
  <script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
Xavier Guimard's avatar
Xavier Guimard committed
42
<!-- //endif -->
Clément OUDOT's avatar
Clément OUDOT committed
43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#shared_attributes_sreg">Shared attributes (SREG)</a></div></li>
<li class="level2"><div class="li"><a href="#security">Security</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="openid_server">OpenID server</h1>
<div class="level1">
<div class="notewarning">OpenID protocol is deprecated, you should now use <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect</a>
</div>
</div>
<!-- EDIT1 SECTION "OpenID server" [1-136] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
Xavier Guimard's avatar
Xavier Guimard committed
73
<abbr title="LemonLDAP::NG">LL::NG</abbr> can act as an OpenID 2.0 Server, that can allow one to federate <abbr title="LemonLDAP::NG">LL::NG</abbr> with:
Clément OUDOT's avatar
Clément OUDOT committed
74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101
</p>
<ul>
<li class="level1"><div class="li"> Another <abbr title="LemonLDAP::NG">LL::NG</abbr> system configured with <a href="authopenid.html" class="wikilink1" title="documentation:2.0:authopenid">OpenID authentication</a></div>
</li>
<li class="level1"><div class="li"> Any OpenID consumer</div>
</li>
</ul>

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with the OpenID Authentication protocol <a href="http://openid.net/specs/openid-authentication-2_0.html" class="urlextern" title="http://openid.net/specs/openid-authentication-2_0.html"  rel="nofollow">version 2.0</a> and <a href="http://openid.net/specs/openid-authentication-1_1.html" class="urlextern" title="http://openid.net/specs/openid-authentication-1_1.html"  rel="nofollow">version 1.0</a>. It can be used just to share authentication or to share user&#039;s attributes following the <a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html" class="urlextern" title="http://openid.net/specs/openid-simple-registration-extension-1_0.html"  rel="nofollow">OpenID Simple Registration Extension 1.0 (SREG)</a> specification.
</p>

<p>
When <abbr title="LemonLDAP::NG">LL::NG</abbr> is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where:
</p>
<ul>
<li class="level1"><div class="li"> [PORTAL] is the portal <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
<li class="level1"><div class="li"> [login] is the user login (or any other session information, <span class="curid"><a href="idpopenid.html#configuration" class="wikilink1" title="documentation:2.0:idpopenid">see below</a></span>)</div>
</li>
</ul>

<p>
Example:
</p>
<pre class="code">http://auth.example.com/openidserver/foo.bar</pre>

</div>
Xavier Guimard's avatar
Xavier Guimard committed
102
<!-- EDIT2 SECTION "Presentation" [137-1125] -->
Clément OUDOT's avatar
Clément OUDOT committed
103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

<p>
In the Manager, go in <code>General Parameters</code> » <code>Issuer modules</code> » <code>OpenID</code> and configure:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: set to <code>On</code></div>
</li>
<li class="level1"><div class="li"> <strong>Path</strong>: keep <code>^/openidserver/</code> unless you have change <a href="configlocation.html#portal" class="wikilink1" title="documentation:2.0:configlocation">Apache portal configuration</a> file.</div>
</li>
<li class="level1"><div class="li"> <strong>Use rule</strong>: a rule to allow user to use this module, set to 1 to always allow.</div>
</li>
</ul>
<div class="notetip">For example, to allow only users with a strong authentication level:
<pre class="code">$authenticationLevel &gt; 2</pre>

</div>
<p>
Then go in <code>Options</code> to define:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Secret token</strong>: a secret token used to secure transmissions between OpenID client and server (<span class="curid"><a href="idpopenid.html#security" class="wikilink1" title="documentation:2.0:idpopenid">see below</a></span>).</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID login</strong>: the session key used to match OpenID login.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorized domains</strong>: white list or black list of OpenID client domains (<span class="curid"><a href="idpopenid.html#security" class="wikilink1" title="documentation:2.0:idpopenid">see below</a></span>).</div>
</li>
<li class="level1"><div class="li"> <strong>SREG mapping</strong>: link between SREG attributes and session keys (<span class="curid"><a href="idpopenid.html#shared_attributes_sreg" class="wikilink1" title="documentation:2.0:idpopenid">see below</a></span>).</div>
</li>
</ul>
<div class="notetip">If <code>OpenID login</code> is not set, it uses <code>General Parameters</code> » <code>Logs</code> » <code>REMOTE_USER</code> data, which is set to <code>uid</code> by default
</div>
</div>
Clément OUDOT's avatar
Clément OUDOT committed
137
<!-- EDIT3 SECTION "Configuration" [1126-2240] -->
Clément OUDOT's avatar
Clément OUDOT committed
138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170
<h3 class="sectionedit4" id="shared_attributes_sreg">Shared attributes (SREG)</h3>
<div class="level3">

<p>
<a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html" class="urlextern" title="http://openid.net/specs/openid-simple-registration-extension-1_0.html"  rel="nofollow">SREG</a> permit the share of 8 attributes:
</p>
<ul>
<li class="level1"><div class="li"> Nick name</div>
</li>
<li class="level1"><div class="li"> Email</div>
</li>
<li class="level1"><div class="li"> Full name</div>
</li>
<li class="level1"><div class="li"> Date of birth</div>
</li>
<li class="level1"><div class="li"> Gender</div>
</li>
<li class="level1"><div class="li"> Postal code</div>
</li>
<li class="level1"><div class="li"> Country</div>
</li>
<li class="level1"><div class="li"> Language</div>
</li>
<li class="level1"><div class="li"> Timezone</div>
</li>
</ul>

<p>
Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute.
</p>
<div class="noteclassic">If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.
</div>
</div>
Clément OUDOT's avatar
Clément OUDOT committed
171
<!-- EDIT4 SECTION "Shared attributes (SREG)" [2241-2748] -->
Clément OUDOT's avatar
Clément OUDOT committed
172 173 174 175 176 177 178 179 180 181 182
<h3 class="sectionedit5" id="security">Security</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> can be configured to restrict OpenID exchange using a white or a black list of domains.</div>
</li>
<li class="level1"><div class="li"> If not set, the secret token is calculated using the general encryption key.</div>
</li>
</ul>
<div class="noteimportant">Note that <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML</a> protocol is more secured than OpenID, so when your partners are known, prefer <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML</a>.
</div>
</div>
Clément OUDOT's avatar
Clément OUDOT committed
183
<!-- EDIT5 SECTION "Security" [2749-] --></div>
Clément OUDOT's avatar
Clément OUDOT committed
184 185
</body>
</html>