The OpenID extension needs access to the Shibboleth's Velocity Engine, which is accomplished by modifying
service.xml. Find the Service with the id "shibboleth.ServiceServletContextAttributeExporter" (it's probably at the bottom of the file). The
depends-on attribute of this Service element contains a space separated list of service IDs. Add the ID "shibboleth.VelocityEngine" to this list.
Relying Party configuration
relying-party.xml, add the appropriate XML namespace declaration for OpenID. Add the following attribute to the root
<RelyingPartyGroup> element alongside the other namespace declarations:
Add the following schema location declaration in the
xsi:schemaLocation attribute of the same element:
OpenID protocol support is handled in the same way as any other protocol in Shibboleth, it is configured per relying party. Add the following ProfileConfiguration to the appropriate relying party configurations:
<ProfileConfiguration xsi:type="openid:OpenIDAuthProfile" />
This profile configuration supports two optional attributes:
- directedIdentifiers - boolean value that turns on the use of directed identifiers for the relying party. Defaults to 'false'
- directedIdentifierSalt - salt value that is used to generated directed identifiers, when enabled.
Relying party whitelisting is supported by using a special profile of SAML Metadata to identify the parties. A rather minimal OpenID metadata file identifying a single relying party might look like:
<?xml version="1.0" encoding="UTF-8"?>
<EntitiesDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" Name="urn:mace:shibboleth:openid">
<SPSSODescriptor protocolSupportEnumeration="http://specs.openid.net/auth/2.0" />
PAPE policy URLs are configured the same way as authentication methods. Add the desired URL to the appropriate LoginHandler in
handler.xml inside of an AuthenticationMethod element.
If you wish to enable more verbose logging for OpenID, the package name is "edu.internet2.middleware.openid".