Genero OpenID configuration

Specify OpenID provider constraints and mappings in the configuration file.

The Genero OpenID implementation provides a configuration file named configuration.xml in $FGLDIR/web_utilities/services/openid/res.

You can specify OpenID provider constraints about unsupported features (encryption and signature methods). You can map the OpenID attributes URL to a single name if OpenID Attribute Exchange protocol is required.

Server constraints

Some OpenID providers do not support all encryption and signature methods recommended in the specification. To bypass this issue, you can specify the supported method for each individual OpenID provider. By default, Genero OpenID implementation supports the strongest one.

The encryption method defines how the Genero OpenID implementation and the OpenID provider will exchange the signature key. Supported methods are:

no-encryption: Requires HTTPS as communication channel between the OpenID provider and the Genero implementation and thus to modify the Genero profile with SSL certificate and keys.
DH-SHA (default): No specific communication channel required. The signature key is exchanged using a public/private Diffie-Hellman key agreement method fully secured.

The signature method defines how the Genero OpenID implementation validates what comes from the OpenID provider. Supported methods are:

direct: Requires HTTPS as communication channel between the OpenID provider and the Genero implementation in order to validate an authentication. Each authentication process requires an additional connection to the OpenID provider.
HMAC-SHA1 (default): No specific communication channel required. The Genero OepnID implementation can validate the authentication without any additonal request to the OpenID provider.

Each server has a secured attribute that ensures that if a combination of encryption and signature method is not fully secured, the authentication process fails with a specific message in the log file.

If you set this attribute to false, the authentication process would not be fully secured as keys are exchanged between the OpenID provider and the Genero implementation on unsecured channels and thus vunerable to malicious attacks.

OpenID Attribute Exchange mapping

If an OpenID provider uses the OpenID Attribute Exchange protocol, you have to specify in the configuration file the URL for each kind of attributes the OpenID provider supports.

This example illustrates how this is completed for the Google OpenID provider.

<Server secured="true" provider="google.com">
  <URL>www.google.com/accounts/o8/ud</URL>
  <Encryption>no-encryption</Encryption>
  <Signature>HMAC-SHA1</Signature>
  <AttributeProfile>http://openid.net/srv/ax/1.0</AttributeProfile>
  <Attribute name="email">http://axschema.org/contact/email</Attribute>
  <Attribute name="country">http://axschema.org/contact/country/home</Attribute>
  <Attribute name="firstname">http://axschema.org/namePerson/first</Attribute>
  <Attribute name="lastname">http://axschema.org/namePerson/last</Attribute>
  <Attribute name="language">http://axschema.org/pref/language</Attribute>
</Server>

The identity provider given in the application configuration file must match an identify provider configured in $FGLDIR/services/openid/res/configuration.xml. The response from the ID provider should contain the provider identity ("google.com", in this example). The AttributeProfile tag indicates how to retrieve the attributes.