Single sign-on (SSO) / OpenID SSO and the Genero Application Server |
Specify OpenID provider constraints and mappings in the configuration file.
The Genero OpenID implementation provides a configuration file named configuration.xml in $FGLDIR/web_utilities/services/openid/res.
You can specify OpenID provider constraints about unsupported features (encryption and signature methods). You can map the OpenID attributes URL to a single name if OpenID Attribute Exchange protocol is required.
Some OpenID providers do not support all encryption and signature methods recommended in the specification. To bypass this issue, you can specify the supported method for each individual OpenID provider. By default, Genero OpenID implementation supports the strongest one.
Each server has a secured attribute that ensures that if a combination of encryption and signature method is not fully secured, the authentication process fails with a specific message in the log file.
If you set this attribute to false, the authentication process would not be fully secured as keys are exchanged between the OpenID provider and the Genero implementation on unsecured channels and thus vunerable to malicious attacks.
If an OpenID provider uses the OpenID Attribute Exchange protocol, you have to specify in the configuration file the URL for each kind of attributes the OpenID provider supports.
<Server secured="true" provider="google.com"> <URL>www.google.com/accounts/o8/ud</URL> <Encryption>no-encryption</Encryption> <Signature>HMAC-SHA1</Signature> <AttributeProfile>http://openid.net/srv/ax/1.0</AttributeProfile> <Attribute name="email">http://axschema.org/contact/email</Attribute> <Attribute name="country">http://axschema.org/contact/country/home</Attribute> <Attribute name="firstname">http://axschema.org/namePerson/first</Attribute> <Attribute name="lastname">http://axschema.org/namePerson/last</Attribute> <Attribute name="language">http://axschema.org/pref/language</Attribute> </Server>
The identity provider given in the application configuration file must match an identify provider configured in $FGLDIR/services/openid/res/configuration.xml. The response from the ID provider should contain the provider identity ("google.com", in this example). The AttributeProfile tag indicates how to retrieve the attributes.