128 lines
3.2 KiB
ReStructuredText
128 lines
3.2 KiB
ReStructuredText
OpenID server
|
|
=============
|
|
|
|
|
|
.. danger::
|
|
|
|
OpenID protocol is deprecated, you should now use
|
|
:doc:`OpenID Connect<idpopenidconnect>`\
|
|
|
|
Presentation
|
|
------------
|
|
|
|
LL::NG can act as an OpenID 2.0 Server, that can allow one to federate
|
|
LL::NG with:
|
|
|
|
- Another LL::NG system configured with
|
|
:doc:`OpenID authentication<authopenid>`
|
|
- Any OpenID consumer
|
|
|
|
LL::NG is compatible with the OpenID Authentication protocol `version
|
|
2.0 <http://openid.net/specs/openid-authentication-2_0.html>`__ and
|
|
`version
|
|
1.0 <http://openid.net/specs/openid-authentication-1_1.html>`__. It can
|
|
be used just to share authentication or to share user's attributes
|
|
following the `OpenID Simple Registration Extension 1.0
|
|
(SREG) <http://openid.net/specs/openid-simple-registration-extension-1_0.html>`__
|
|
specification.
|
|
|
|
When LL::NG is configured as OpenID identity provider, users can share
|
|
their authentication using [PORTAL]/openidserver/[login] where:
|
|
|
|
- [PORTAL] is the portal URL
|
|
- [login] is the user login (or any other session information,
|
|
:ref:`see below<idpopenid-configuration>`)
|
|
|
|
Example:
|
|
|
|
::
|
|
|
|
http://auth.example.com/openidserver/foo.bar
|
|
|
|
.. _idpopenid-configuration:
|
|
|
|
Configuration
|
|
-------------
|
|
|
|
In the Manager, go in ``General Parameters`` » ``Issuer modules`` »
|
|
``OpenID`` and configure:
|
|
|
|
- **Activation**: set to ``On``
|
|
- **Path**: keep ``^/openidserver/`` unless you have change
|
|
:ref:`Apache portal configuration<configlocation-portal>` file.
|
|
- **Use rule**: a rule to allow user to use this module, set to 1 to
|
|
always allow.
|
|
|
|
|
|
.. tip::
|
|
|
|
For example, to allow only users with a strong authentication
|
|
level:
|
|
|
|
::
|
|
|
|
$authenticationLevel > 2
|
|
|
|
|
|
|
|
Then go in ``Options`` to define:
|
|
|
|
- **Secret token**: a secret token used to secure transmissions between
|
|
OpenID client and server (:ref:`see below<idpopenid-security>`).
|
|
- **OpenID login**: the session key used to match OpenID login.
|
|
- **Authorized domains**: white list or black list of OpenID client
|
|
domains (:ref:`see below<idpopenid-security>`).
|
|
- **SREG mapping**: link between SREG attributes and session keys
|
|
(:ref:`see below<idpopenid-shared-attributes-sreg>`).
|
|
|
|
|
|
.. tip::
|
|
|
|
If ``OpenID login`` is not set, it uses ``General Parameters``
|
|
» ``Logs`` » ``REMOTE_USER`` data, which is set to ``uid`` by
|
|
default
|
|
|
|
.. _idpopenid-shared-attributes-sreg:
|
|
|
|
Shared attributes (SREG)
|
|
~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
`SREG <http://openid.net/specs/openid-simple-registration-extension-1_0.html>`__
|
|
permit the share of 8 attributes:
|
|
|
|
- Nick name
|
|
- Email
|
|
- Full name
|
|
- Date of birth
|
|
- Gender
|
|
- Postal code
|
|
- Country
|
|
- Language
|
|
- Timezone
|
|
|
|
Each SREG attribute will be associated to a user session key. A session
|
|
key can be associated to more than one SREG attribute.
|
|
|
|
|
|
.. note::
|
|
|
|
If the OpenID consumer ask for data, users will be prompted to
|
|
accept or not the data sharing.
|
|
|
|
.. _idpopenid-security:
|
|
|
|
Security
|
|
~~~~~~~~
|
|
|
|
- LL::NG can be configured to restrict OpenID exchange using a white or
|
|
a black list of domains.
|
|
- If not set, the secret token is calculated using the general
|
|
encryption key.
|
|
|
|
|
|
.. attention::
|
|
|
|
Note that :doc:`SAML<idpsaml>` protocol is more secured
|
|
than OpenID, so when your partners are known, prefer
|
|
:doc:`SAML<idpsaml>`.
|