Monday May 07, 2007

Our OpenID server's getting some press

Our OpenID implementation is getting some press here, here and here. If you happen to be wandering around CommunityONE - we're here (Glassfish alley)! Come with your questions and checkout the demo.

Sunday Apr 22, 2007

An out-of-the-box OpenID server built atop OpenDS and Java EE

I've been tinkering with public domain OpenIDs for the past few months and found the OpenID service, as it is described, to be useful indeed. I say "as described" since it is clearly not the end all be all Internet authentication service, however, it is interesting and worth exploring further. To that end, I've developed a light-weight, demo quality, OpenID provider. It's easily deployable atop any Java EE container and backed by the OpenDS directory server. Note: Credit goes to Paul Bryan (an OpenSSO contributor) for the initial OpenID protocol handler.

Why develop yet another OpenID provider? Unfortunately, I could not find a maintained, easily deployable, Java EE based provider that actually worked. In addition, as a directory guy, I believe people and identity centric data belong in the directory and not spread amongst n different databases. I'm currently at the O'Reilly Web 2.0 Expo and have been informally polling attendees on general identity management topics; e.g., where are your users stored?, what authentication protocols do you support?, and the like. Brandon, I was wrong - you are right, new applications are still emerging with their own, siloed "user tables" to stuff people and their passwords. Evidently, there is still much education to be done around directory. I trust that this proof-of-concept will assist in showing others the light on how simple it is to support the newest of the new protocols. Give it a try.


I'm running the demo atop Ubuntu, Java 6, Glassfish V2, and the latest OpenDS download. Ensure you obtain a build dated 4/21/2007 or later.
  1. Install OpenDS
  2. Drop in the OpenID schema file. In the case of OpenDS simply drop this file in $opends_home/config and restart OpenDS.
  3. Download the OpenID application (WAR) and deploy to your application server. Please note the fine print below.
  4. To get started register a new user by "claiming in ID" via the bundled user interface http://localhost:8080/opendsidp/. Copy the generated claim URL; e.g., http://yourhost/opendsidp/claims/username and go use it. For starters try using your claim at http://jyte.com.

The fine print:
Since this is demoware, I made many assumptions about the environment. Most of these assumptions are configurable though a few currently are not. Also, I've left a few features out. In particular, I've left manually accepting/rejecting trust roots for another day.

Please note the following: It is assumed the directory server is on the localhost, listening on port 1389, and may be read by the user cn="directory manager" with the password "password". The base DN is "dc=example,dc=com" and the people base DN is "ou=people,dc=example,dc=com". Additionally, it is required that all OpenID users must belong to the group "openidusers" and that group is located in ou=groups,dc=example,dc=com. The OpenID configuration and authentication tokens (user cookies) are stored in ou=openid, dc=example,dc=com. You do not need to create the groups or openid configuration buckets, they will be created on startup. If your ldap host, port, query user, based dn, or base people dn are different you are free to change the default values by editing the web.xml file located in the WEB-INF directory. The attributes that need changing should be obvious. Confused? Don't be, if you install OpenDS out-of-the-box and accept the default installation configuration you'll be good to go. Good luck!

About

treydrake

Search

Categories
Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today