Work is underway to add native OpenID support to the Shibboleth 2.x Identity Provider. The current goal is for a working deliverable by the end of the 2009 calendar year. This page will document what can be expected in the deliverable.
Because this work is being done without any specific use cases in mind, and because there is some time before it will actually be deployed, we're taking a few liberties with regards to protocol support. Rather than attempting to support the OpenID protocol and community as it exists today, we're looking ahead at where the technology is going, and using that as our guide. As we near our completion, or as more specific use cases are presented, we may go back and selectively add support for some technologies that initially omitted.
What will be delivered?
There will be at least three deliverables: two generic Java libraries, and a Shibboleth IdP extension.
XRD Java Library
The Extensible Resource Descriptor (XRD) specification is currently being drafted within the XRI Technical Committee of OASIS. This will be the specification future versions of OpenID and OAuth discovery are scheduled to use. It is a complete replacement for both XRDS (currently used by OpenID 2.0) and XRDS-Simple (currently used by OAuth Discovery 1.0).
The first deliverable will be a generic library which implements the parsing, processing, and publishing of XRD documents. It will provide basic implementations for verifying the signatures and trust of these documents.
OpenID Java Library
The second deliverable will be a new OpenID protocol library. This library will provide OpenID request and response handling, signature verification, and limited support for certain OpenID extensions. This library will NOT include a full OpenID provider or relying party... it is designed to implement the OpenID protocol, but not all of the associated business logic. Specific notes with regards to supported features:
- OpenID Authentication 2.0 will be supported. There are currently no plans to support OpenID Authentication 1.1
- There are currently no plans to support XRDS for discovery. Those portions of the library will instead use XRD, as that specification is developed.
- The current plan is to support XRI identifiers. That may be pushed to a later version of the library... I'm not sure.
- OpenID Provider drive identifier selection will be supported
- True directed identity will be possible (generating a unique identifier per user, per relying party). However, the library will likely not provide the full support for this... implementers will need to do a little more work
- Support for the following OpenID Extensions are planned: Attribute Exchange 1.0, PAPE 1.0, Simple Registration 1.0.
Shibboleth IdP Plugin
The final deliverable will be a Shibboleth IdP plugin which takes the above libraries and adds XRD and OpenID support to Shibboleth. This plugin will include the appropriate Shibboleth protocol handlers, attribute encoders, etc to make OpenID feel just as native to Shibboleth as SAML does.