-
Notifications
You must be signed in to change notification settings - Fork 8
OpenID
The portal supports OpenId so that you can use your GENI portal account to log in to other GENI services like (LabWiki)[]. As of this writing (early October, 2012) it's a little quirky, but works.
To use your GENI OpenID you need a URL that matches your GENI identity. Each user has a unique URL, and these are of the form:
https://portal.geni.net/server/server.php/idpage?user=USERNAME
Services that use OpenID will have a login box that will allow you to type in your unique URL and then authenticate via the GENI portal. Here's how to log in using your GENI account:
- Enter your unique URL in the OpenID box
- You'll then be presented with an "OpenID Server Endpoint" page. Click "Log In" along the top of the page
- If you're already signed in to the portal, you'll be redirected to a "Log In" page. If you're not already signed in to the portal you'll be asked to sign in
- At the "Log In" page, enter your GENI username and click the "Log In" button
- Now you'll be presented with a confirmation page asking if you want to share information with the OpenID service provider. Click on the "Confirm" button
- You should now be redirected back to the service provider and logged in via your GENI OpenID
Add OpenID to your apache config file (/etc/apache2/sites-available/default-ssl) by adding this line with the other portal/clearinghouse services:
Include /usr/share/geni-ch/openid/apache2.conf
Restart apache:
sudo service apache2 restart
Fix the config files by replacing the hostname in the following two files (every time you run make install, unfortunately):
/usr/share/geni-ch/openid/src/server-direct/config.php
/usr/share/geni-ch/openid/src/server-indirect/config.php
If you want to do local testing you can add a simple OpenID consumer by adding another line to the apache config:
Include /usr/share/geni-ch/openid/apache2-consumer.conf
then visit https://dev-host.domain/openid.
OpenID involves two parties, a relying party (RP) and an OpenID provider (OP). The RP is similar in nature to the Shibboleth service provider (SP) and the OP is similar to the Shibboleth identity provider (IdP). The protocol, however, differs in a fundamental way. Shibboleth relies purely on browser redirects and not direct communication between the two parties. OpenID relies on both direct and indirect communication. With OpenID, the communication pattern is roughly:
- User enters OpenID URL at RP
- RP fetches that URL and looks for a metadata entry in the HTML head
- RP fetches OpenID metadata (XRDS) based on the previous metadata
- RP establishes a shared secret with OP
- RP redirects the user's browser (presumably to the OP) based on the info in the fetched XRDS
- User authenticates to the OP
- OP redirects the user's browser back to RP
Instead of the direct communication of OpenID, Shibboleth uses out of band metadata exchange (namely public keys) to facilitate information exchange. OpenID replaces this key exchange by establishing a shared secret between RP and OP.
Integrating OpenID with our Shibboleth service provider requires splitting OpenID into two pieces, one for direct communications with the RP (server-direct) and one for indirect communications via browser redirects (server-indirect). This split is necessary because the RP must communicate to the OP directly but cannot authenticate via Shibboleth, while we want to require Shibboleth authentication of the user in order to provide OpenID information to the RP. Thus server-direct lives outside of Shibboleth, and server-indirect is protected by Shibboleth.
There's another catch, shared secrets. Part of the OpenID protocol involves establishing a shared secret between RP and OP. This is done via direct communications, but is required as part of indirect communications. So the two parts of the OpenID server must be configured to share the shared secrets. This is done by giving both parts the same configuration directory in their respective config files.
The consumer and server are example programs from [http://janrain.com/openid-enabled/ php-openid] (latest from git, commit !dbd9d3edb9e23a4d8482f8af999f725bc74502c9), an open source project. There are minor modifications to php-openid/examples/server/server.php to form both server-direct and server-indirect. The consumer example is unmodified.
The openid software is in source:openid directory, and is installed in /usr/share/geni-ch/openid. The servers and optionally the consumer are added to the web server via their apache2.conf files (see Installation above).