...
This extension includes support for OpenID Authentication 2.0 (there is no support for OpenID 1.1). It includes support for OpenID Provider identifier selection as well as the use of opaque "directed identifiers". The IdP can optionally be configured to only interact with whitelisted relying parties, using a profile of SAML metadata.
The extension supports the OpenID Provider Authentication Policy Extension 1.0. There is currently no support for user attributes, though both Simple Registration and Attribute Exchange support are planned for a future version.
OpenID URLs
The OpenID extension will create OpenID URLs for users of the form:
| Code Block | ||||
|---|---|---|---|---|
| ||||
https://idp.example.org/idp/openid/user/{username} |
The username portion of the URL will either be the principal name the user used to authenticate to the Shibboleth, or an opaque base64 encoded string, if directed identifiers are enabled.
If you wish to have another URL format, such as http://people.example.org/username, you will need to provide your own means of delegating those URLs to the URLs of the format above.
Identifier Select
OpenID provider identifier selection allows users to enter only the domain of their OpenID provider instead of their entire OpenID URL. For example, a user with the above OpenID URL could simply enter "idp.example.org" or "example.org" to initiate OpenID authentication. To enable this flow, the following HTML snippet must be added into the <head> of the homepage on the domain:
| Code Block | ||||
|---|---|---|---|---|
| ||||
<meta http-equiv="X-XRDS-Location" content="https://idp.example.org/idp/openid/provider/xrds" />
|
Installation and Configuration
| Panel | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ||||||||||||