Differences
This shows you the differences between two versions of the page.
| — |
documentation:2.1:idpopenid [2019/01/15 15:55] (current) |
||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | ====== OpenID server ====== | ||
| + | <note warning>OpenID protocol is deprecated, you should now use [[idpopenidconnect|OpenID Connect]]</note> | ||
| + | ===== Presentation ===== | ||
| + | |||
| + | LL::NG can act as an OpenID 2.0 Server, that can allow one to federate LL::NG with: | ||
| + | * Another LL::NG system configured with [[authopenid|OpenID authentication]] | ||
| + | * Any OpenID consumer | ||
| + | |||
| + | LL::NG is compatible with the OpenID Authentication protocol [[http://openid.net/specs/openid-authentication-2_0.html|version 2.0]] and [[http://openid.net/specs/openid-authentication-1_1.html|version 1.0]]. It can be used just to share authentication or to share user's attributes following the [[http://openid.net/specs/openid-simple-registration-extension-1_0.html|OpenID Simple Registration Extension 1.0 (SREG)]] specification. | ||
| + | |||
| + | When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where: | ||
| + | * [PORTAL] is the portal URL | ||
| + | * [login] is the user login (or any other session information, [[idpopenid#configuration|see below]]) | ||
| + | |||
| + | Example: | ||
| + | <code> | ||
| + | http://auth.example.com/openidserver/foo.bar | ||
| + | </code> | ||
| + | |||
| + | ===== Configuration ===== | ||
| + | |||
| + | In the Manager, go in ''General Parameters'' » ''Issuer modules'' » ''OpenID'' and configure: | ||
| + | * **Activation**: set to ''On'' | ||
| + | * **Path**: keep ''^/openidserver/'' unless you have change [[configlocation#portal|Apache portal configuration]] file. | ||
| + | * **Use rule**: a rule to allow user to use this module, set to 1 to always allow. | ||
| + | |||
| + | <note tip> | ||
| + | For example, to allow only users with a strong authentication level: | ||
| + | <code> | ||
| + | $authenticationLevel > 2 | ||
| + | </code> | ||
| + | </note> | ||
| + | |||
| + | Then go in ''Options'' to define: | ||
| + | * **Secret token**: a secret token used to secure transmissions between OpenID client and server ([[idpopenid#security|see below]]). | ||
| + | * **OpenID login**: the session key used to match OpenID login. | ||
| + | * **Authorized domains**: white list or black list of OpenID client domains ([[idpopenid#security|see below]]). | ||
| + | * **SREG mapping**: link between SREG attributes and session keys ([[idpopenid#shared_attributes_sreg|see below]]). | ||
| + | |||
| + | <note tip>If ''OpenID login'' is not set, it uses ''General Parameters'' » ''Logs'' » ''REMOTE_USER'' data, which is set to ''uid'' by default</note> | ||
| + | |||
| + | ==== Shared attributes (SREG) ==== | ||
| + | |||
| + | [[http://openid.net/specs/openid-simple-registration-extension-1_0.html|SREG]] permit the share of 8 attributes: | ||
| + | * Nick name | ||
| + | |||
| + | * Full name | ||
| + | * Date of birth | ||
| + | * Gender | ||
| + | * Postal code | ||
| + | * Country | ||
| + | * Language | ||
| + | * Timezone | ||
| + | |||
| + | Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute. | ||
| + | |||
| + | <note>If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.</note> | ||
| + | |||
| + | ==== Security ==== | ||
| + | |||
| + | * LL::NG can be configured to restrict OpenID exchange using a white or a black list of domains. | ||
| + | * If not set, the secret token is calculated using the general encryption key. | ||
| + | |||
| + | <note important>Note that [[idpsaml|SAML]] protocol is more secured than OpenID, so when your partners are known, prefer [[idpsaml|SAML]].</note> | ||