It is possible to authenticate users into a federation using their OpenID account. When setting up OpenID there is no need to set up any account with the provider (as opposed to what is necessary with all the other social authentication connection types).
Although there are no specific configuration fields, you do have some control over the authentication connection via the script file: <tenant_directory>\<runtime_directory>\Scripts\OpenID-en.js. Open it and see examples for “vidoop” or “launchpad” on how to comment out providers you don't need.
Notice! OpenID basically is a help to allow integration of a wide selection of Safewhere*Identify Providers with Safewhere*Identify. Many of these identity providers may not work properly. This is not necessarily a problem that Safewhere*Identify can do much to alleviate, since the problems are mostly with the providers. We will although here list the status of some of the providers and our success with them in our testing environment, so you may avoid some annoyances with setting up providers that we do not find work properly:·
- ClickPass: Safewhere*Identify cannot redirect to this provider and always get the error from OpenID: "No OpenID endpoint found". We have not yet been able to solve this problem.·
- ClaimID: We have not been able to test this provider since they have closed the registration pages and we therefore have not had any account for testing.·
- Blogger: An error occurs in the communication between Google and Blogger that we unfortunately can not do anything to fix.·
- Google, Yahoo and others: Will return empty claim response to requests. They just authenticate and do not respond to claim requests. Read more on this here: http://stackoverflow.com/questions/3129013/openauth-net-claims-request-is-always-null
Second factor authentication connection: If you want this OpenID Authentication Connection to have a second factor, you must choose this second factor among the different Authentication Connections that have been set up in the system. This includes all the One Time Password Connections.There are a whole range of fields that will help you set up a two factor authentication process, if so desired. Below each of these are explained.
- Two factor identities condition:When using two different Authentication Connections together (which is basically what you are doing when setting up two-factor authentication, then the two may try to Safewhere*Identify the incoming user based on two different identity bearing claims. This dropdown is activated when a user has chosen, that the connection will have a second factor. Options in the dropdown are:
- Use the first identity: System will disregard the “Identity bearing claim” value of the second factor and just focus on identifying the user based on the first one.
- Two identities must be the same: The user will not be allowed to log in unless the identity of the user for the first factor is identical to that of the second factor.
- Enabled for mobile use: Should be checked if you also want to allow mobile users to authenticate using this connection.
- IP-based filter for Home Realm Discovery: Specifies IP addresses of RPs for the filter. An IP address consists of 4 sections of numbers between 1 and 255. The 4 sections of numbers are seperated by a dot. An IP range consists of two IP addresses separated by a dash. You can enter multiple IP addresses or IP ranges by seperating them with semicolons. E.g.: 192.168.1.1;192.168.1.2;192.168.0.0-192.168.1.255.
- Perform log out at SLO:Should be checked if you also want to log out your account from OpenID IdP.
To see how the authentication page looks to the users, please click here. Note: this plugin is deprecated from version 5.5.