OpenID server¶
Danger
OpenID protocol is deprecated, you should now use OpenID Connect
Presentation¶
LL::NG can act as an OpenID 2.0 Server, that can allow one to federate LL::NG with:
Another LL::NG system configured with OpenID authentication
Any OpenID consumer
LL::NG is compatible with the OpenID Authentication protocol version 2.0 and version 1.0. It can be used just to share authentication or to share user’s attributes following the OpenID Simple Registration Extension 1.0 (SREG) specification.
When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where:
[PORTAL] is the portal URL
[login] is the user login (or any other session information, see below)
Example:
http://auth.example.com/openidserver/foo.bar
Configuration¶
In the Manager, go in General Parameters
» Issuer modules
»
OpenID
and configure:
Activation: set to
On
Path: keep
^/openidserver/
unless you have change Apache portal configuration file.Use rule: a rule to allow user to use this module, set to 1 to always allow.
Tip
For example, to allow only users with a strong authentication level:
$authenticationLevel > 2
Then go in Options
to define:
Secret token: a secret token used to secure transmissions between OpenID client and server (see below).
OpenID login: the session key used to match OpenID login.
Authorized domains: white list or black list of OpenID client domains (see below).
SREG mapping: link between SREG attributes and session keys (see below).
Tip
If OpenID login
is not set, it uses General Parameters
» Logs
» REMOTE_USER
data, which is set to uid
by
default