OpenID Application

Safewhere*Identify’s OpenID protocol connection supports OpenID 2.0, which is widely adopted (http://OpenID.net/specs/) in the community. Using the OpenID 2.0-based protocol connection, it is possible for Safewhere*Identify to act as an OpenID Identity Provider. Thus, users can identify themselves via the multitude of different authentication methods that are supported by Safewhere*Identify and access OpenID 2.0-based web sites and online applications.

The specifications that have been implemented for OpenID can be found via the following links:

  • OpenID authentication 2.0 (http://OpenID.net/specs/OpenID-authentication-2_0.html)
  • OpenID simple registration 1.1 extension (http://OpenID.net/specs/OpenID-simple-registration-extension-1_1-01.html)
  • OpenID provider authentication policy extension (only implementation of “max_auth_age” - http://OpenID.net/specs/OpenID-provider-authentication-policy-extension-1_0.html)
  • OpenID attribute exchange (Fetch requests only - http://OpenID.net/specs/OpenID-attribute-exchange-1_0.html)

There are several steps that will need to be carried out in order to set up an OpenID Protocol Connection:

Step 1: Create a new free claim to be used to store the OpenID identifier for each user.

Go to the claims list to create the claim in which this identifier will be stored. You can e.g. call the new claim “OpenIDidentifier”.

openid 1

Step 2: Inform Safewhere*Identify that this claim is used as the OpenID identifier.

Go to the system setup tab to do this. Simply select “OpenIDidentifier” from the dropdown list.

openid 2

  • This claim's value is unique across all the Identify users. It is auto-generated as a random id in case a user is authenticated by OpenID provider without the initial value.The generated random id is "OpenID[GUID]". Could as an example be: https://[tenant url]/runtime/OpenID/op/OpenIDfdbbea47-80c8-4ef3-aad6-7d9b4cbb30f5
  • The OpenID identifier is defined as https://[tenant url]/runtime/OpenID/op/[OpenID identifier claim's value]

Step 3: Set up an “OpenID protocol connection” for each Service Provider to use it.

Below is explained the different configuration options for each OpenID protocol connection:

openid 3

Redirect URL: Where the user will be redirected back to after succesfull authentication. Required.

Allow redirect to http URL:Set to true if it should be allowed that the user is redirected back to an http URL.

Allow immediate mode:If the end user is not to beable to interact with the OpenID Provider then this should be set to True.

Step 4: Import the claim set which is used for Simple Registration Extension

OpenID Simple Registation is an extension to the OpenID Authentication protocol that allows for very light-weight profile exchange. It is designed to pass eight commonly requested pieces of information when an End User goes to register a new account with a web service. It supports to getEmail, Fullname, DOB, Gender, Nickname, Postcode, Country, Language, and Timezone:

For easy creation for these claims, we can go to the claim list on the Admin site of Identifyand import the claims using the “Import Predefined Claim Types”feature.

openid 4

Choose “Claim Type definitions for OPENID PROVIDER SIMPLE REGISTRATION CLAIMS SET”.

openid 5

Here are the claims that are added after import:

openid 6

Once these have been set up it means that Identify will need to map its claim types to these through the use of claim transformation so that OpenID RP can receive them.

To learn more about OpenID protocol, please click here.