This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:idpopenid [2019/01/15 15:55] (current)
Line 1: Line 1:
 +====== OpenID server ======
 +<note warning>​OpenID protocol is deprecated, you should now use [[idpopenidconnect|OpenID Connect]]</​note>​
 +===== Presentation =====
 +LL::NG can act as an OpenID 2.0 Server, that can allow one to federate LL::NG with:
 +  * Another LL::NG system configured with [[authopenid|OpenID authentication]]
 +  * Any OpenID consumer
 +LL::NG is compatible with the OpenID Authentication protocol [[http://​openid.net/​specs/​openid-authentication-2_0.html|version 2.0]] and [[http://​openid.net/​specs/​openid-authentication-1_1.html|version 1.0]]. It can be used just to share authentication or to share user's attributes following the [[http://​openid.net/​specs/​openid-simple-registration-extension-1_0.html|OpenID Simple Registration Extension 1.0 (SREG)]] specification.
 +When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/​openidserver/​[login] where:
 +  * [PORTAL] is the portal URL
 +  * [login] is the user login (or any other session information,​ [[idpopenid#​configuration|see below]])
 +===== Configuration =====
 +In the Manager, go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​OpenID''​ and configure:
 +  * **Activation**:​ set to ''​On''​
 +  * **Path**: keep ''​^/​openidserver/''​ unless you have change [[configlocation#​portal|Apache portal configuration]] file.
 +  * **Use rule**: a rule to allow user to use this module, set to 1 to always allow.
 +<note tip>
 +For example, to allow only users with a strong authentication level:
 +$authenticationLevel > 2
 +Then go in ''​Options''​ to define:
 +  * **Secret token**: a secret token used to secure transmissions between OpenID client and server ([[idpopenid#​security|see below]]).
 +  * **OpenID login**: the session key used to match OpenID login.
 +  * **Authorized domains**: white list or black list of OpenID client domains ([[idpopenid#​security|see below]]).
 +  * **SREG mapping**: link between SREG attributes and session keys ([[idpopenid#​shared_attributes_sreg|see below]]).
 +<note tip>If ''​OpenID login''​ is not set, it uses ''​General Parameters''​ » ''​Logs''​ » ''​REMOTE_USER''​ data, which is set to ''​uid''​ by default</​note>​
 +==== Shared attributes (SREG) ====
 +[[http://​openid.net/​specs/​openid-simple-registration-extension-1_0.html|SREG]] permit the share of 8 attributes:
 +  * Nick name
 +  * Email
 +  * Full name
 +  * Date of birth
 +  * Gender
 +  * Postal code
 +  * Country
 +  * Language
 +  * Timezone
 +Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute.
 +<​note>​If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.</​note>​
 +==== Security ====
 +  * LL::NG can be configured to restrict OpenID exchange using a white or a black list of domains.
 +  * If not set, the secret token is calculated using the general encryption key.
 +<note important>​Note that [[idpsaml|SAML]] protocol is more secured than OpenID, so when your partners are known, prefer [[idpsaml|SAML]].</​note>​