Differences

This shows you the differences between two versions of the page.

Link to this comparison view

documentation:latest:idpopenid [2017/11/20 14:54]
xguimard Spelling errors
documentation:latest:idpopenid [2019/01/15 15:54]
Line 1: Line 1:
-====== OpenID server ====== 
  
-<note warning>​OpenID protocol is deprecated, you should now use [[idpopenidconnect|OpenID Connect]]</​note>​ 
-===== Presentation ===== 
- 
-LL::NG can act as an OpenID 2.0 Server, that can allow one to federate LL::NG with: 
-  * Another LL::NG system configured with [[authopenid|OpenID authentication]] 
-  * Any OpenID consumer 
- 
-LL::NG is compatible with the OpenID Authentication protocol [[http://​openid.net/​specs/​openid-authentication-2_0.html|version 2.0]] and [[http://​openid.net/​specs/​openid-authentication-1_1.html|version 1.0]]. It can be used just to share authentication or to share user's attributes following the [[http://​openid.net/​specs/​openid-simple-registration-extension-1_0.html|OpenID Simple Registration Extension 1.0 (SREG)]] specification. 
- 
-When LL::NG is configured as OpenID identity provider, users can share their authentication using [PORTAL]/​openidserver/​[login] where: 
-  * [PORTAL] is the portal URL 
-  * [login] is the user login (or any other session information,​ [[idpopenid#​configuration|see below]]) 
- 
-Example: 
-<​code>​ 
-http://​auth.example.com/​openidserver/​foo.bar 
-</​code>​ 
- 
-===== Configuration ===== 
- 
-In the Manager, go in ''​General Parameters''​ » ''​Issuer modules''​ » ''​OpenID''​ and configure: 
-  * **Activation**:​ set to ''​On''​ 
-  * **Path**: keep ''​^/​openidserver/''​ unless you have change [[configlocation#​portal|Apache portal configuration]] file. 
-  * **Use rule**: a rule to allow user to use this module, set to 1 to always allow. 
- 
-<note tip> 
-For example, to allow only users with a strong authentication level: 
-<​code>​ 
-$authenticationLevel > 2 
-</​code>​ 
-</​note>​ 
- 
-<note important>​ 
-Rewrite rules must have been activated in [[configlocation#​portal|Apache portal configuration]] or in [[configlocation#​portal1|Nginx portal configuration]]. 
-</​note>​ 
- 
-Then go in ''​Options''​ to define: 
-  * **Secret token**: a secret token used to secure transmissions between OpenID client and server ([[idpopenid#​security|see below]]). 
-  * **OpenID login**: the session key used to match OpenID login. 
-  * **Authorized domains**: white list or black list of OpenID client domains ([[idpopenid#​security|see below]]). 
-  * **SREG mapping**: link between SREG attributes and session keys ([[idpopenid#​shared_attributes_sreg|see below]]). 
- 
-<note tip>If ''​OpenID login''​ is not set, it uses ''​General Parameters''​ » ''​Logs''​ » ''​REMOTE_USER''​ data, which is set to ''​uid''​ by default</​note>​ 
- 
-==== Shared attributes (SREG) ==== 
- 
-[[http://​openid.net/​specs/​openid-simple-registration-extension-1_0.html|SREG]] permit the share of 8 attributes: 
-  * Nick name 
-  * Email 
-  * Full name 
-  * Date of birth 
-  * Gender 
-  * Postal code 
-  * Country 
-  * Language 
-  * Timezone 
- 
-Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute. 
- 
-<​note>​If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.</​note>​ 
- 
-==== Security ==== 
- 
-  * LL::NG can be configured to restrict OpenID exchange using a white or a black list of domains. 
-  * If not set, the secret token is calculated using the general encryption key. 
- 
-<note important>​Note that [[idpsaml|SAML]] protocol is more secured than OpenID, so when your partners are known, prefer [[idpsaml|SAML]].</​note>​