4.4 Configuring for OpenID Authentication

OpenID is an open, decentralized method for identifying users which allows users to use the same digital identity for logging in to multiple services. You can configure the Identity Server to trust the provider or providers of OpenIDs by configuring the OpenID class. You then configure a method and contract and assign a protected resources to use the contract for authentication. When the users supply the OpenID, they are granted access if the Identity Server has been configured to trust the provider of the OpenID server.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Classes.

  2. Click New, then fill in the following fields:

    Display name: Specify a name for the class.

    Java class: Select OpenIdClass.

    The Java class path is configured automatically.

  3. Click Next, then configure the following properties:

    Open ID Provider Substrings: Specify at least one URL substring of an OpenID provider. The OpenID URL that user enters during the login process must contain one of the strings as a subset of the OpenID URL. For example, if user enters https://user123.myopenid.com, this field needs to contain one of the following strings:

    myopenid.com
    .myopenid.com
    

    To specify multiple URLs, separate them with a semicolon (;)

    Identity the OpenID user locally: After the user authenticates at the OpenID provider, Access Manager can associate a username from the user store with the OpenID user. With this association, Access Manager can use the policies defined for the username to enforce access to protected resources.

    • When this option is not selected, the OpenID user is not mapped to a local user. The username of the authenticated user remains as the OpenID URL. For example, if the user enters http://user123.myopenid.com for the URL, http://user123.myopenid.com becomes the username.

    • When this option is selected, an attempt is made to map the OpenID user with a username in the user store. You can do this manually by storing the user’s OpenID in the attribute specified in the LDAP Attribute Name option. You can also have the Identity Server add the OpenID value to the attribute by selecting the Auto Provision LDAP Attribute option.

    LDAP Attribute Name: Specify the name of the attribute that contains the identification information for the users. For OpenID authentication, this attribute should contain the OpenID for the user.

    Auto Provision LDAP Attribute: Select this option when you want the user to provide additional information for identification for the first authentication, such as a username and password. The Identity Server uses this information to identify the user, then writes the user’s OpenID value to the attribute specified in the LDAP Attribute Name option. On subsequent logins, the Identity Server can identify the user by using the specified attribute and the user is not prompted for additional information.

  4. Click Finish.

  5. Create a method for this class.

    For instructions, see Section 3.3, Configuring Authentication Methods.

  6. Create a contract for the method:

    For instructions, see Section 3.4, Configuring Authentication Contracts.

    If you want the user’s credentials available for Identity Injection policies, add the password fetch method as a second method to the contract. For more information about this class and method, see Section 4.5, Configuring Password Retrieval.

  7. Update the Identity Server.