File: idpopenid.html

package info (click to toggle)
lemonldap-ng 1.9.7-3%2Bdeb9u2
links: PTS, VCS
area: main
in suites: stretch
size: 39,024 kB
sloc: perl: 37,552; makefile: 922; sh: 472; sql: 5
file content (187 lines) | stat: -rw-r--r-- 9,668 bytes
<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
  <meta charset="utf-8" />
  <title>documentation:1.9:idpopenid</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,1.9,idpopenid"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="idpopenid.html"/>
<link rel="contents" href="idpopenid.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
  <link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
  <link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
  <link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:1.9';var JSINFO = {"id":"documentation:1.9:idpopenid","namespace":"documentation:1.9"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
  <script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
  <script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
  <script type="text/javascript" src="/lib/scripts/jquery-ui.min.js"></script>
//else -->
  <script type="text/javascript" src="/lib/scripts/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>

<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#shared_attributes_sreg">Shared attributes (SREG)</a></div></li>
<li class="level2"><div class="li"><a href="#security">Security</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->

<h1 class="sectionedit1" id="openid_server">OpenID server</h1>
<div class="level1">
<div class="notewarning">OpenID protocol is deprecated, you should now use <a href="idpopenidconnect.html" class="wikilink1" title="documentation:1.9:idpopenidconnect">OpenID Connect</a>
</div>
</div>
<!-- EDIT1 SECTION "OpenID server" [1-136] -->
<h2 class="sectionedit2" id="presentation">Presentation</h2>
<div class="level2">

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> can act as an OpenID 2.0 Server, that can allow to federate <abbr title="LemonLDAP::NG">LL::NG</abbr> with:
</p>
<ul>
<li class="level1"><div class="li"> Another <abbr title="LemonLDAP::NG">LL::NG</abbr> system configured with <a href="authopenid.html" class="wikilink1" title="documentation:1.9:authopenid">OpenID authentication</a></div>
</li>
<li class="level1"><div class="li"> Any OpenID consumer</div>
</li>
</ul>

<p>
<abbr title="LemonLDAP::NG">LL::NG</abbr> is compatible with the OpenID Authentication protocol <a href="http://openid.net/specs/openid-authentication-2_0.html" class="urlextern" title="http://openid.net/specs/openid-authentication-2_0.html"  rel="nofollow">version 2.0</a> and <a href="http://openid.net/specs/openid-authentication-1_1.html" class="urlextern" title="http://openid.net/specs/openid-authentication-1_1.html"  rel="nofollow">version 1.0</a>. It can be used just to share authentication or to share user&#039;s attributes following the <a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html" class="urlextern" title="http://openid.net/specs/openid-simple-registration-extension-1_0.html"  rel="nofollow">OpenID Simple Registration Extension 1.0 (SREG)</a> specification.
</p>

<p>
When <abbr title="LemonLDAP::NG">LL::NG</abbr> is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where:
</p>
<ul>
<li class="level1"><div class="li"> [PORTAL] is the portal <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
<li class="level1"><div class="li"> [login] is the user login (or any other session information, <span class="curid"><a href="idpopenid.html#configuration" class="wikilink1" title="documentation:1.9:idpopenid">see below</a></span>)</div>
</li>
</ul>

<p>
Example:
</p>
<pre class="code">http://auth.example.com/openidserver/foo.bar</pre>

</div>
<!-- EDIT2 SECTION "Presentation" [137-1121] -->
<h2 class="sectionedit3" id="configuration">Configuration</h2>
<div class="level2">

<p>
In the Manager, go in <code>General Parameters</code> » <code>Issuer modules</code> » <code>OpenID</code> and configure:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Activation</strong>: set to <code>On</code></div>
</li>
<li class="level1"><div class="li"> <strong>Path</strong>: keep <code>^/openidserver/</code> unless you have change <a href="configlocation.html#portal" class="wikilink1" title="documentation:1.9:configlocation">Apache portal configuration</a> file.</div>
</li>
<li class="level1"><div class="li"> <strong>Use rule</strong>: a rule to allow user to use this module, set to 1 to always allow.</div>
</li>
</ul>
<div class="notetip">For example, to allow only users with a strong authentication level:
<pre class="code">$authenticationLevel &gt; 2</pre>

</div><div class="noteimportant">Rewrite rules must have been activated in <a href="configlocation.html#portal" class="wikilink1" title="documentation:1.9:configlocation">Apache portal configuration</a> or in <a href="configlocation.html#portal1" class="wikilink1" title="documentation:1.9:configlocation">Nginx portal configuration</a>.

</div>
<p>
Then go in <code>Options</code> to define:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Secret token</strong>: a secret token used to secure transmissions between OpenID client and server (<span class="curid"><a href="idpopenid.html#security" class="wikilink1" title="documentation:1.9:idpopenid">see below</a></span>).</div>
</li>
<li class="level1"><div class="li"> <strong>OpenID login</strong>: the session key used to match OpenID login.</div>
</li>
<li class="level1"><div class="li"> <strong>Authorized domains</strong>: white list or black list of OpenID client domains (<span class="curid"><a href="idpopenid.html#security" class="wikilink1" title="documentation:1.9:idpopenid">see below</a></span>).</div>
</li>
<li class="level1"><div class="li"> <strong>SREG mapping</strong>: link between SREG attributes and session keys (<span class="curid"><a href="idpopenid.html#shared_attributes_sreg" class="wikilink1" title="documentation:1.9:idpopenid">see below</a></span>).</div>
</li>
</ul>
<div class="notetip">If <code>OpenID login</code> is not set, it uses <code>General Parameters</code> » <code>Logs</code> » <code>REMOTE_USER</code> data, which is set to <code>uid</code> by default
</div>
</div>
<!-- EDIT3 SECTION "Configuration" [1122-2419] -->
<h3 class="sectionedit4" id="shared_attributes_sreg">Shared attributes (SREG)</h3>
<div class="level3">

<p>
<a href="http://openid.net/specs/openid-simple-registration-extension-1_0.html" class="urlextern" title="http://openid.net/specs/openid-simple-registration-extension-1_0.html"  rel="nofollow">SREG</a> permit the share of 8 attributes:
</p>
<ul>
<li class="level1"><div class="li"> Nick name</div>
</li>
<li class="level1"><div class="li"> Email</div>
</li>
<li class="level1"><div class="li"> Full name</div>
</li>
<li class="level1"><div class="li"> Date of birth</div>
</li>
<li class="level1"><div class="li"> Gender</div>
</li>
<li class="level1"><div class="li"> Postal code</div>
</li>
<li class="level1"><div class="li"> Country</div>
</li>
<li class="level1"><div class="li"> Language</div>
</li>
<li class="level1"><div class="li"> Timezone</div>
</li>
</ul>

<p>
Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute.
</p>
<div class="noteclassic">If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.
</div>
</div>
<!-- EDIT4 SECTION "Shared attributes (SREG)" [2420-2927] -->
<h3 class="sectionedit5" id="security">Security</h3>
<div class="level3">
<ul>
<li class="level1"><div class="li"> <abbr title="LemonLDAP::NG">LL::NG</abbr> can be configured to restrict OpenID exchange using a white or a black list of domains.</div>
</li>
<li class="level1"><div class="li"> If not set, the secret token is calculated using the general encryption key.</div>
</li>
</ul>
<div class="noteimportant">Note that <a href="idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML</a> protocol is more secured than OpenID, so when your partners are known, prefer <a href="idpsaml.html" class="wikilink1" title="documentation:1.9:idpsaml">SAML</a>.
</div>
</div>
<!-- EDIT5 SECTION "Security" [2928-] --></div>
</body>
</html>