5.16.3 OpenID Authentication

OpenID is an open, decentralized method for identifying users that allows users to use the same digital identity for logging in to multiple services. You can configure Identity Server to trust OpenID providers by configuring the OpenID class.

Access Manager supports OpenID1.1.

  1. Click Devices > Identity Servers > Edit > Local > Classes > New.

  2. Specify a name for the class and select OpenIdClass in Java class.

  3. Click Next.

  4. Specify the following details:

    Field

    Description

    Open ID Provider Substrings

    Specify at least one URL substring of an OpenID provider. The OpenID URL that a user enters during the login process must contain one of the strings as a subset of the OpenID URL.

    For example, if user enters https://user123.myopenid.com, this field needs to contain one of the following strings:

    myopenid.com
.myopenid.com

    To specify multiple URLs, separate them with a semicolon (;)

    Identity the OpenID user locally

    After the user authenticates at the OpenID provider, Access Manager can associate a username from the user store with the OpenID user. With this association, Access Manager can use the policies defined for the username to enforce access to protected resources.

    • When this option is not selected, the OpenID user is not mapped to a local user. The username of the authenticated user remains as the OpenID URL. For example, if the user enters http://user123.myopenid.com for the URL, http://user123.myopenid.com becomes the username.

    • When this option is selected, an attempt is made to map the OpenID user with a username in the user store. You can do this manually by storing the user’s OpenID in the attribute specified in the LDAP Attribute Name option. You can also have Identity Server add the OpenID value to the attribute by selecting the Auto Provision LDAP Attribute option.

    LDAP Attribute Name

    Specify the name of the attribute that contains the identification information for the users. For OpenID authentication, this attribute must contain the OpenID for the user.

    Auto Provision LDAP Attribute

    Select this option when you want the user to provide additional information for identification for the first authentication, such as a username and password. Identity Server uses this information to identify the user, then writes the user’s OpenID value to the attribute specified in the LDAP Attribute Name option. In subsequent logins, Identity Server identifies a user by using the specified attribute and the user is not prompted for additional information.

  5. Click Finish.

  6. Create a method for this class.

    For instructions, see Section 5.1.3, Configuring Authentication Methods.

  7. Create a contract for the method.

    For instructions, see Section 5.1.4, Configuring Authentication Contracts.

    If you want the user’s credentials available for Identity Injection policies, add the password fetch method as a second method to the contract. See Password Retrieval.

  8. Update Identity Server.

    Assign this contract to a protected resources for authentication.