Introduction to OpenID background knowledge
Traditional identity authentication is to store user information in a separate system, possibly a directory server, database, local file system or a custom system. When authenticating, the user provides the user name and the password, checks with the user information system, confirms the user is legitimate. And OpenID is a centralized online identity authentication system. For Web sites that support OpenID, users do not need to remember traditional validation tags such as user names and passwords. Instead, they simply register in advance on a Web site that acts as an OpenID provider (identity Provider), thereby greatly simplifying the authentication process by completing the authentication of the OpenID-enabled Web site through the authentication of the identity provider website.
Any web site can use OpenID as a way for users to log in, and any Web site can be an OpenID identity provider. Because OpenID solves the problem without having to rely on a central Web site to identify the digital identity, it is being used by a growing number of big web sites, such as Google, Facebook,myopenid and Yahoo, who are all OpenID identity providers. There are two types of OpenID currently in the mainstream, one is OpenID 2.0, one is OAuth 1.0. Google,myopenid and Yahoo are using the OpenID 2.0 specification, and Facebook is using the OAuth 1.0 specification.
The OpenID specification defines only the basic authentication mechanism, and in the application, it often requires the exchange of user attributes with the OpenID identity provider, so on the basis of the OpenID specification, there are two protocols on the property exchange, Sreg (simple registration) and AX (Attribute Exchange). Sreg defines only a few common properties, such as Nickname,email and FullName. AX is more complex, and it can actually exchange any information, as long as both sides of the Exchange define the attribute.
WebSphere Portal 8.0 support for OpenID
As a provider of information, the WebSphere Portal supports OpenID from version 8.0, allowing users to specify which OpenID providers to support by configuring themselves, and to select the appropriate identity provider in the login interface to authenticate to a certified WebSphere Porta L for further access to personalized information and services within the site. From an implementation perspective, the WebSphere Portal is based on the WebSphere application server, and the WebSphere Application server itself provides an insertion point-trust Associated Interceptor (association Interceptor,tai), By implementing the Tai for a certified handover, WebSphere Portal 8.0 implements the Tai to establish a trust relationship between the WebSphere application server and the OpenID authentication provider. In addition, WebSphere Portal users can still log on as they would if they were configured with an OpenID identity provider.
There are two ways to configure OpenID in the WebSphere portal, and users can choose a way to integrate external users into the WebSphere portal, depending on their needs, but they can also be mixed:
One user in the WebSphere Portal has a user bound to the OpenID identity provider, which corresponds to one by one. This mapping relationship is stored in the user's properties and in which attribute can be customized in the WebSphere Portal.
The user of the OpenID identity provider as a whole is a WebSphere Portal user. Administrators can set permissions for these users uniformly, without requiring them to re-register users in the WebSphere Portal. This configuration requires fewer steps for the user to use, and the administrator needs to do more configuration steps.
The configuration location of the property exchange is different in these two different configuration modes. This article takes the OpenID 2.0 specification as an example, describing two ways to configure OpenID in the WebSphere Portal and some examples of usage.
OpenID Identity Provider User and WebSphere Portal user one by one mapping configuration
In this configuration, a user of an OpenID identity provider can bind to a user of WebSphere Porta, such as an OpenID user named Portal80user1, tied to a user user1 the WebSphere Portal Set This does not mean, of course, that each user of the OpenID identity provider maps to the user of the WebSphere portal, nor does it require that each user in the WebSphere Portal be mapped to the user of an OpenID identity provider, which can be specified by the user itself, so it stored in a user's attribute, which property is specific to the custom.
Configuration steps
The WebSphere Portal can be configured with multiple OpenID identity providers, such as Google, Yahoo, and Myopenid, and administrators can decide which OpenID identity providers to configure. However, you must ensure that the system time for the WebSphere Portal server is correct before you configure it. Assuming that the WebSphere Portal server is installed on the Linux operating system, the administrator would like to configure Google and Yahoo two OpenID identity providers, as follows.
1. Run Enable-identityprovider-tai Task
First, the administrator needs to run the Enable-identityprovider-tai task:
./ConfigEngine.sh enable- identityprovider-tai -Didp.providerlist=openid \
-Dopenid.servicenames=Google,Yahoo - Dopenid.servicenames.endpoints=\
https://www.google.com/accounts/o8/id,http://me.yahoo.com \
-DWasUserId=wpsadmin -DWasPassword=wpsadmin
The customization parameters used in this task have the following meanings:
-didp.providerlist
Specifies the list of supported OpenID identity provider types. If you are configuring an identity provider that meets the OpenID 2.0 specification, such as Google and Yahoo, the value is OpenID, and if you are configuring Facebook and so on to meet OAuth 1.0 's identity provider, then this parameter is FaceBook. In our hypothetical case, this parameter should be OpenID.
-dopenid.servicenames
If you configure an OpenID 2.0 identity provider, this parameter should list the identity providers you want to configure. In our hypothetical case, this parameter should be Google,yahoo.
-dopenid.servicenames.endpoints
OpenID Identity Authenticator Endpoint URL, if configured with more than one identity, this should be listed here, so the number of parameters in this parameter list should be consistent with-dopenid.servicenames. In our hypothetical case, this parameter should be https://www.google.com/accounts/o8/id,https://me.yahoo.com/.
It is noteworthy that this task can be run over and over again, and the result of the second run will overwrite the previous one, that is, if the user wants to add a supported OpenID identity provider, the original identity provider and the new identity provider must be listed in the parameters in the parameter when you rerun the task.
2. Modify configuration parameters for Profile Management and Login two portlets
In order to display elements added to the OpenID design in the interface, additional configuration is required for profile Management and Login two portlets. These configurations must be done in the Administrator's capacity.
First login to the WebSphere Portal as an administrator, browse to Administration>portlet management>portlets, locate the Login portlet, and click Configure portlet button, modify the following parameters and Save:
Show_idp_option
Whether to display elements designed to support OpenID in the Login portlet, the default is false and should be set to true in our hypothetical scenario.
Show_idp_max
The maximum number of OpenID identity providers displayed. The default is 4, which can be set to 2 in our hypothetical scenario.
Providername.image
An icon for the identity provider. The Login portlet does not have this parameter by default and requires administrator additions. If multiple identity providers are configured, there are multiple such parameters. In our hypothetical case, the following two parameters need to be added. If not specified, the content (text) on the icon will be the name of the identity provider.
Google.image:https://www.google.com/intl/en_all/images/logos/images_logo_lg.gif
Yahoo.image:http://l.yimg.com/a/i/ww/met/yahoo_logo_us_061509.png
Then locate the profile Management portlet, click the Configure portlet button, modify the following parameters and Save:
Show_idp_option
Whether to display elements designed to support OpenID in the Login portlet, the default is false and should be set to true in our hypothetical scenario.
Show_idp_max
The maximum number of OpenID identity providers displayed. The default is 4, which can be set to 2 in our hypothetical scenario.
Providername.image
An icon for the identity provider. The Login portlet does not have this parameter by default and requires administrator additions. If multiple identity providers are configured, there are multiple such parameters. In our hypothetical case, we need to add two parameters, as shown below. If not specified, the content (text) on the icon will be the name of the identity provider.
Google.image:https://www.google.com/intl/en_all/images/logos/images_logo_lg.gif
Yahoo.image:http://l.yimg.com/a/i/ww/met/yahoo_logo_us_061509.png
3. Copy the necessary documents
Copy the following files to the Appserver_root\lib\ext directory:
PortalServer_root\prereqs.infra\prereq.commons.httpclient\lib \ext\commons-codec-1.3.jar PortalServer_root\prereqs.infra\prereq.commons.httpclient\lib\ext\comm ons-httpclient-3.0.1.jar
4. Obtain an OpenID identity provider's SSL certificate
Log on to the WebSphere Integrated Solution Console (Integrated Solutions console) as an administrator, browse to SECURITY>SSL certificate and Key Management, Configuration Settings Click Manage Endpoint Security configurations, in outbound>hostname>nodes>node_name> Servers, select Websphere_portal, and then select Key stores and certificates in Related Items.
Click Nodedefaulttruststore to select Signer certificates in Additional Properties.
Then click Retrieve from Port for each OpenID identity provider and fill in the following information:
Host
An OpenID identity provider endpoint that does not contain a protocol header. In our hypothetical case, for Google should input www.google.com, for Yahoo should enter me.yahoo.com.
Port
The port number of the OpenID identity provider, usually 443.
Alias
Specifies an alias for the SSL certificate, which can be arbitrary, but it is best to identify the identity provider. For example, Google can enter Google, for Yahoo can enter Yahoo_cert and so on.
Click Retrieve signer information to obtain an SSL certificate for the identity provider, and then save it. In our hypothetical case, we will get the certificate for Google and Yahoo and save it separately.
5. Restart the WebSphere Portal server
Run the following command under the Wp_profile_root/bin directory to restart the WebSphere Portal server to make the above configuration effective.
./stopserver.sh websphere_portal-username Admin_userid-password admin_password./startserver.sh WebSphere_Portal
Once the configuration is complete, the login page for the WebSphere Portal is shown in Figure one.
Figure 1. Configure the login page for the WebSphere Portal after OpenID