<divclass="notewarning">OpenID protocol is deprecated, you should now use <ahref="idpopenidconnect.html"class="wikilink1"title="documentation:2.0:idpopenidconnect">OpenID Connect</a>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> can act as an OpenID 2.0 Server, that can allow one to federate <abbrtitle="LemonLDAP::NG">LL::NG</abbr> with:
<liclass="level1"><divclass="li"> Another <abbrtitle="LemonLDAP::NG">LL::NG</abbr> system configured with <ahref="authopenid.html"class="wikilink1"title="documentation:2.0:authopenid">OpenID authentication</a></div>
</li>
<liclass="level1"><divclass="li"> Any OpenID consumer</div>
</li>
</ul>
<p>
<abbrtitle="LemonLDAP::NG">LL::NG</abbr> is compatible with the OpenID Authentication protocol <ahref="http://openid.net/specs/openid-authentication-2_0.html"class="urlextern"title="http://openid.net/specs/openid-authentication-2_0.html"rel="nofollow">version 2.0</a> and <ahref="http://openid.net/specs/openid-authentication-1_1.html"class="urlextern"title="http://openid.net/specs/openid-authentication-1_1.html"rel="nofollow">version 1.0</a>. It can be used just to share authentication or to share user's attributes following the <ahref="http://openid.net/specs/openid-simple-registration-extension-1_0.html"class="urlextern"title="http://openid.net/specs/openid-simple-registration-extension-1_0.html"rel="nofollow">OpenID Simple Registration Extension 1.0 (SREG)</a> specification.
</p>
<p>
When <abbrtitle="LemonLDAP::NG">LL::NG</abbr> is configured as OpenID identity provider, users can share their authentication using [PORTAL]/openidserver/[login] where:
</p>
<ul>
<liclass="level1"><divclass="li"> [PORTAL] is the portal <abbrtitle="Uniform Resource Locator">URL</abbr></div>
</li>
<liclass="level1"><divclass="li"> [login] is the user login (or any other session information, <spanclass="curid"><ahref="idpopenid.html#configuration"class="wikilink1"title="documentation:2.0:idpopenid">see below</a></span>)</div>
<liclass="level1"><divclass="li"><strong>Secret token</strong>: a secret token used to secure transmissions between OpenID client and server (<spanclass="curid"><ahref="idpopenid.html#security"class="wikilink1"title="documentation:2.0:idpopenid">see below</a></span>).</div>
</li>
<liclass="level1"><divclass="li"><strong>OpenID login</strong>: the session key used to match OpenID login.</div>
</li>
<liclass="level1"><divclass="li"><strong>Authorized domains</strong>: white list or black list of OpenID client domains (<spanclass="curid"><ahref="idpopenid.html#security"class="wikilink1"title="documentation:2.0:idpopenid">see below</a></span>).</div>
</li>
<liclass="level1"><divclass="li"><strong>SREG mapping</strong>: link between SREG attributes and session keys (<spanclass="curid"><ahref="idpopenid.html#shared_attributes_sreg"class="wikilink1"title="documentation:2.0:idpopenid">see below</a></span>).</div>
</li>
</ul>
<divclass="notetip">If <code>OpenID login</code> is not set, it uses <code>General Parameters</code> » <code>Logs</code> » <code>REMOTE_USER</code> data, which is set to <code>uid</code> by default
<ahref="http://openid.net/specs/openid-simple-registration-extension-1_0.html"class="urlextern"title="http://openid.net/specs/openid-simple-registration-extension-1_0.html"rel="nofollow">SREG</a> permit the share of 8 attributes:
</p>
<ul>
<liclass="level1"><divclass="li"> Nick name</div>
</li>
<liclass="level1"><divclass="li"> Email</div>
</li>
<liclass="level1"><divclass="li"> Full name</div>
</li>
<liclass="level1"><divclass="li"> Date of birth</div>
</li>
<liclass="level1"><divclass="li"> Gender</div>
</li>
<liclass="level1"><divclass="li"> Postal code</div>
</li>
<liclass="level1"><divclass="li"> Country</div>
</li>
<liclass="level1"><divclass="li"> Language</div>
</li>
<liclass="level1"><divclass="li"> Timezone</div>
</li>
</ul>
<p>
Each SREG attribute will be associated to a user session key. A session key can be associated to more than one SREG attribute.
</p>
<divclass="noteclassic">If the OpenID consumer ask for data, users will be prompted to accept or not the data sharing.
<liclass="level1"><divclass="li"><abbrtitle="LemonLDAP::NG">LL::NG</abbr> can be configured to restrict OpenID exchange using a white or a black list of domains.</div>
</li>
<liclass="level1"><divclass="li"> If not set, the secret token is calculated using the general encryption key.</div>
</li>
</ul>
<divclass="noteimportant">Note that <ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML</a> protocol is more secured than OpenID, so when your partners are known, prefer <ahref="idpsaml.html"class="wikilink1"title="documentation:2.0:idpsaml">SAML</a>.