documentation:2.1:idpopenid

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:2.1:idpopenid [2019/01/15 15:55] (current)
Line 1: Line 1:
 +====== OpenID server ======
  
 +<note warning>OpenID protocol is deprecated, you should now use [[idpopenidconnect|OpenID Connect]]</note>
 +===== Presentation =====
 +
 +LL::NG can act as an OpenID 2.0 Server, that can allow one to federate LL::NG with:
 +  * Another LL::NG system configured with [[authopenid|OpenID authentication]]
 +  * Any OpenID consumer
 +
 +LL::NG is compatible with the OpenID Authentication protocol [[http://openid.net/specs/openid-authentication-2_0.html|version 2.0]] and [[http://openid.net/specs/openid-authentication-1_1.html|version 1.0]]. It can be used just to share authentication or to share user's attributes following the [[http://openid.net/specs/openid-simple-registration-extension-1_0.html|OpenID Simple Registration Extension 1.0 (SREG)]] specification.
 +
 +When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where:
 +  * [PORTAL] is the portal URL
 +  * [login] is the user login (or any other session information, [[idpopenid#configuration|see below]])
 +
 +Example:
 +<code>
 +http://auth.example.com/openidserver/foo.bar
 +</code>
 +
 +===== Configuration =====
 +
 +In the Manager, go in ''General Parameters'' » ''Issuer modules'' » ''OpenID'' and configure:
 +  * **Activation**: set to ''On''
 +  * **Path**: keep ''^/openidserver/'' unless you have change [[configlocation#portal|Apache portal configuration]] file.
 +  * **Use rule**: a rule to allow user to use this module, set to 1 to always allow.
 +
 +<note tip>
 +For example, to allow only users with a strong authentication level:
 +<code>
 +$authenticationLevel > 2
 +</code>
 +</note>
 +
 +Then go in ''Options'' to define:
 +  * **Secret token**: a secret token used to secure transmissions between OpenID client and server ([[idpopenid#security|see below]]).
 +  * **OpenID login**: the session key used to match OpenID login.
 +  * **Authorized domains**: white list or black list of OpenID client domains ([[idpopenid#security|see below]]).
 +  * **SREG mapping**: link between SREG attributes and session keys ([[idpopenid#shared_attributes_sreg|see below]]).
 +
 +<note tip>If ''OpenID login'' is not set, it uses ''General Parameters'' » ''Logs'' » ''REMOTE_USER'' data, which is set to ''uid'' by default</note>
 +
 +==== Shared attributes (SREG) ====
 +
 +[[http://openid.net/specs/openid-simple-registration-extension-1_0.html|SREG]] permit the share of 8 attributes:
 +  * Nick name
 +  * Email
 +  * Full name
 +  * Date of birth
 +  * Gender
 +  * Postal code
 +  * Country
 +  * Language
 +  * Timezone
 +
 +Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute.
 +
 +<note>If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.</note>
 +
 +==== Security ====
 +
 +  * LL::NG can be configured to restrict OpenID exchange using a white or a black list of domains.
 +  * If not set, the secret token is calculated using the general encryption key.
 +
 +<note important>Note that [[idpsaml|SAML]] protocol is more secured than OpenID, so when your partners are known, prefer [[idpsaml|SAML]].</note>