Genero OpenID configuration file

Specify OpenID provider constraints and mappings in the configuration file.

The Genero OpenID Single sign-on (SSO) implementation provides a configuration file named configuration.xml in $FGLDIR/web_utilities/services/openid/res.

The OpenID configuration file allows you to:

Specify OpenID provider constraints about unsupported features (encryption and signature methods)
Map the OpenID attributes URL to a single name if OpenID Attribute Exchange protocol is required.

Server constraints

Some OpenID providers do not support all encryption and signature methods recommended in the specification. To bypass this issue, you can specify the supported method for each individual OpenID provider. By default, Genero OpenID implementation supports the strongest one.

The encryption method defines how the Genero OpenID implementation and the OpenID provider will exchange the signature key. Supported methods are:

no-encryption: Requires HTTPS as communication channel between the OpenID provider and the Genero implementation. SSL certificate and keys must be specified in the fglprofile of the OpenID service ($FGLDIR/web_utilities/services/openid/res/fglprofile).
DH-SHA: Default. No specific communication channel required. The signature key is exchanged using a public/private Diffie-Hellman key agreement method fully secured.

The signature method defines how the Genero OpenID implementation validates what comes from the OpenID provider. Supported methods are:

direct: Requires HTTPS as communication channel between the OpenID provider and the Genero implementation in order to validate an authentication. Each authentication process requires an additional connection to the OpenID provider.
HMAC-SHA1: Default. No specific communication channel required. The Genero OpenID implementation can validate the authentication without any additional request to the OpenID provider.

Each server has a secured attribute that ensures that if a combination of encryption and signature method is not fully secured, the authentication process fails with a specific message in the log file.

If you set this attribute to false, the authentication process would not be fully secured as keys are exchanged between the OpenID provider and the Genero implementation on unsecured channels and thus vulnerable to malicious attacks.

OpenID Attribute Exchange mapping

If an OpenID provider uses the OpenID Attribute Exchange protocol, the configuration file must define an URL for each kind of attributes the OpenID provider supports.

This example illustrates how this is completed for the Google OpenID provider.

<Server secured="true" provider="google.com">
  <URL>www.google.com/accounts/o8/ud</URL>
  <Encryption>no-encryption</Encryption>
  <Signature>HMAC-SHA1</Signature>
  <AttributeProfile>http://openid.net/srv/ax/1.0</AttributeProfile>
  <Attribute name="email">http://axschema.org/contact/email</Attribute>
  <Attribute name="country">http://axschema.org/contact/country/home</Attribute>
  <Attribute name="firstname">http://axschema.org/namePerson/first</Attribute>
  <Attribute name="lastname">http://axschema.org/namePerson/last</Attribute>
  <Attribute name="language">http://axschema.org/pref/language</Attribute>
</Server>

The identity provider given in the application configuration file must match an identify provider configured in $FGLDIR/services/openid/res/configuration.xml.

The response from the ID provider should contain the provider identity ("google.com" in the above example).

The AttributeProfile element indicates the method to retrieve the attributes.