IdP OpenID Extension

This extension to the Shibboleth 2.x IdP adds support for OpenID, allowing the IdP to function as an OpenID 2.0 Provider.

Status

At this time, the OpenID Extension should be considered an "alpha" release. Future versions of the extension will likely differ considerably in terms of Java APIs, configuration, and functionality.

OpenID Support

This extension includes support for OpenID Authentication 2.0 (there is no support for OpenID 1.1). It includes support for OpenID Provider identifier selection as well as the use of opaque "directed identifiers". The IdP can optionally be configured to only interact with whitelisted relying parties, using a profile of SAML metadata.

The extension supports the OpenID Provider Authentication Policy Extension 1.0. There is currently no support for user attributes, though both Simple Registration and Attribute Exchange support are planned for a future version.

OpenID URLs

The OpenID extension will create OpenID URLs for users of the form:

https://idp.example.org/idp/openid/user/{username}

The username portion of the URL will either be the principal name the user used to authenticate to the Shibboleth, or an opaque base64 encoded string, if directed identifiers are enabled.

If you wish to have another URL format, such as http://people.example.org/username, you will need to provide your own means of delegating those URLs to the URLs of the format above.

Identifier Select

OpenID provider identifier selection allows users to enter only the domain of their OpenID provider instead of their entire OpenID URL. For example, a user with the above OpenID URL could simply enter "idp.example.org" or "example.org" to initiate OpenID authentication. To enable this flow, the following HTML snippet must be added into the <head> of the homepage on the domain:

<meta http-equiv="X-XRDS-Location" content="https://idp.example.org/idp/openid/provider/xrds" />

Installation and Configuration