Building an OpenID Provider Site

Recently, I’ve gotten the opportunity of setting up an OpenID provider for the University. If you are not familiar with OpenID, the OpenID foundation provides a good introduction. Most big websites already provide an OpenID identity with your  credentials. However, in NUS, we needed something different – an OpenID associated with NUS credentials, mainly to allow NUS student projects to authenticate NUS students with little hassle or security implications. Hence, we needed to become an OpenID provider who will authenticate NUS credentials to our backend (LDAP, Radius).

Being an OpenID provider was not as documented/straightforward as hoped. As of now, there is no complete “OpenID package”. The best are some OpenID libraries that you can use to build out your site. This has flexibility,but is not ideal to get people started easily. For us, we are looking to do an OpenID -> LDAP (AD) backend.

If you are trying to do the same thing as us, this is what you need to get started.

  1. Find some libraries that already does what you need to do. Janrain sounds like a popular solution for a simple site, but we (I) love the additional power that is provided by Zend Framework.
  2. Follow the example code. Zend’s documentation is quite known for being sparse, so you really need to read code. Basically, most functions are encapsulated by the Zend_OpenID_Provider calls, like handle() and respondToConsumer(). You might need to dig into that code if you are doing fancy redirects.
  3. Because user’s authentication is done by LDAP, the provider needs some place to store user’s information like trusted sites. For that, you will need to write your own “storage” engine (e.g. SoC_OpenID_Provider_Storage_LDAP).
  4. The authentication to LDAP is also done by the “storage” engine. You need to hack around the parts addUser(), hasUser() and checkUser().
  5. To do Sreg, you can use LDAP to return information about the user, like (email, nickname). Use storage engine for that too.
I might post codes if time permits. Cheers!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s