Presentation
LL::NG can act as an OpenID 2.0 Server, that can allow one to federate
LL::NG with:
LL::NG is compatible with the OpenID Authentication protocol version
2.0 and
version
1.0. It can
be used just to share authentication or to share user’s attributes
following the OpenID Simple Registration Extension 1.0
(SREG)
specification.
When LL::NG is configured as OpenID identity provider, users can share
their authentication using [PORTAL]/openidserver/[login] where:
- [PORTAL] is the portal URL
- [login] is the user login (or any other session information,
see below)
Example:
http://auth.example.com/openidserver/foo.bar
Configuration
In the Manager, go in General Parameters » Issuer modules »
OpenID and configure:
- Activation: set to On
- Path: keep ^/openidserver/ unless you have change
Apache portal configuration file.
- Use rule: a rule to allow user to use this module, set to 1 to
always allow.
Tip
For example, to allow only users with a strong authentication
level:
Then go in Options to define:
- Secret token: a secret token used to secure transmissions between
OpenID client and server (see below).
- OpenID login: the session key used to match OpenID login.
- Authorized domains: white list or black list of OpenID client
domains (see below).
- SREG mapping: link between SREG attributes and session keys
(see below).
Tip
If OpenID login is not set, it uses General Parameters
» Logs » REMOTE_USER data, which is set to uid by
default
Shared attributes (SREG)
SREG
permit the share of 8 attributes:
- Nick name
- Email
- Full name
- Date of birth
- Gender
- Postal code
- Country
- Language
- Timezone
Each SREG attribute will be associated to a user session key. A session
key can be associated to more than one SREG attribute.
Note
If the OpenID consumer ask for data, users will be prompted to
accept or not the data sharing.
Security
- LL::NG can be configured to restrict OpenID exchange using a white or
a black list of domains.
- If not set, the secret token is calculated using the general
encryption key.
Attention
Note that SAML protocol is more secured
than OpenID, so when your partners are known, prefer
SAML.