Building an OpenID Provider Site

Recently, I’ve gotten the opportunity of setting up an OpenID provider for the University. If you are not familiar with OpenID, the OpenID foundation provides a good introduction. Most big websites already provide an OpenID identity with your  credentials. However, in NUS, we needed something different – an OpenID associated with NUS credentials, mainly to allow NUS student projects to authenticate NUS students with little hassle or security implications. Hence, we needed to become an OpenID provider who will authenticate NUS credentials to our backend (LDAP, Radius).

Being an OpenID provider was not as documented/straightforward as hoped. As of now, there is no complete “OpenID package”. The best are some OpenID libraries that you can use to build out your site. This has flexibility,but is not ideal to get people started easily. For us, we are looking to do an OpenID -> LDAP (AD) backend.

If you are trying to do the same thing as us, this is what you need to get started.

  1. Find some libraries that already does what you need to do. Janrain sounds like a popular solution for a simple site, but we (I) love the additional power that is provided by Zend Framework.
  2. Follow the example code. Zend’s documentation is quite known for being sparse, so you really need to read code. Basically, most functions are encapsulated by the Zend_OpenID_Provider calls, like handle() and respondToConsumer(). You might need to dig into that code if you are doing fancy redirects.
  3. Because user’s authentication is done by LDAP, the provider needs some place to store user’s information like trusted sites. For that, you will need to write your own “storage” engine (e.g. SoC_OpenID_Provider_Storage_LDAP).
  4. The authentication to LDAP is also done by the “storage” engine. You need to hack around the parts addUser(), hasUser() and checkUser().
  5. To do Sreg, you can use LDAP to return information about the user, like (email, nickname). Use storage engine for that too.
I might post codes if time permits. Cheers!

NUS OpenID 2.0 identifier select

NUS OpenID is now OpenID 2.0 ready! With this comes a awesome feature call identifier select. So how does it work?

With OpenID 1.1, you will need to type in your identifier ( to the consumer site you are visiting. This is a bit redundant, because when you are bounced to for authentication, it knows that you are user a0066250.

OpenID 2.0 solves this problem with identifier select. With that, you just have to enter the generic url as your identifier. After you are authenticated, your real identifier will get passed back to the consumer site. To make things easier, consumer do not even have to ask for your identifier. They just need a button (logo) for your provider, and users can click on the logo to get logged in straight away!

With these new features, NUS OpenID hopes save you lots of hassle typing in your credentials into every website. Have fun!