open id explained
TRANSCRIPT
© 2011 Karthik Ethirajan, all rights reserved
OpenID Explained Karthik Ethirajan October 2011
© 2011 Karthik Ethirajan, all rights reserved 2
Agenda
1. Executive Overview
2. What is OpenID ?
3. OpenID Identity Providers
4. OpenID Relying Parties
5. OpenID Adoption
6. OpenID Implementation & Login Flow
7. OpenID Evolution
8. Recommended Approach for OpenID
9. Appendix – Registration Flow
© 2011 Karthik Ethirajan, all rights reserved 3
Executive Overview
Decentralized mechanism for single sign-on No one Identity Provider controls the Open ID ecosystem. Anyone can offer / accept OpenID using the published specs and sample libraries.
No fees to enable OpenID OpenID is an open source project and hence there are no license fees to Identity Providers or Relying Parties.
Join the big boys club Google, Yahoo, Facebook, Microsoft, PayPal, others are foundation members. OpenID is widely adopted from the Identity Providers side giving 1B+ users an OpenID ready to use.
Lackluster adoption by Relying Parties Only about 50,000 sites have adopted OpenID
© 2011 Karthik Ethirajan, all rights reserved 4
What is OpenID ? OpenID leverages existing user accounts from well-known Identity Providers to log into Relying Party websites. It echoes the single Sign-on concept but without the need for the user to establish yet another ID.
OpenID could be an URL or an email address
Open ID enables dynamic discovery of Identity Provider by embedding their domain information as part of OpenID
The user account name/ID with Identity Provider is reformatted to be OpenID compliant
© 2011 Karthik Ethirajan, all rights reserved 5
OpenID Identity Providers
Well adopted, but less publicized Although Identity Providers such as Google and Facebook have provided guidance to the standard (potentially as a hedge), they offer competing products and seek to maintain their dominance of the IDP market.
Providers reluctant to accept OpenID The providers are strong proponents of OpenID. However, they are much less enthusiastic when it comes to accepting one for their websites.
Examples of OpenID Format
Google: https://www.google.com/accounts/o8/id AOL: openid.aol.com/username Yahoo: me.yahoo.com MySpace: myspace.com/username Blogger: username.blogger.com Verisign: username.pip.verisignlabs.com Orange: openid.orange.fr LiveJournal: username.livejournal.com
© 2011 Karthik Ethirajan, all rights reserved 6
OpenID Relying Parties
Source: openiddirectory.com
No real incentive for adoption Current version of OpenID offers limited support for user attribute transfer
User experience has not been exceptional OpenID has failed to deliver on several of the issues which it aims to solve
Well suited for long tail websites OpenID is the only viable option to participating in the federation of identity
Examples of OpenID Login
© 2011 Karthik Ethirajan, all rights reserved 7
OpenID Adoption
Relying Party Adoption
• Majority of large Identity Providers such as Google, Yahoo, Microsoft provide OpenIDs
• Potential gains in marketing and thought leadership are significant if the user community decides to adopt.
• Major Identity Providers are also OpenID Foundation members
• Current OpenID implementation is cumbersome for developers and users (integration is not smooth, long URL for users to remember).
• Data attribute function very limited in first iteration, leaving little incentive for relying parties to adopt the standard over other federation methods.
More than 1 Billion OpenID enabled user
accounts
Over 50K sites currently accept OpenID for login
Identity Provider Adoption
Factors Influencing Adoption Statistics
Source: openid.net, http://upon2020.com
OpenID adoption differs significantly between Identity Providers and Relying Parties. For large identity providers, potential gains outweigh costs. For relying parties, lack of attribution, complexity of integration, and poor user experience hinder more widespread adoption.
© 2011 Karthik Ethirajan, all rights reserved 8
OpenID Implementation & Login Flow
Relying Party (OpenID
Consumer)
Identity Provider
(Authentication Server)
OpenID APIs from openid.net
User attempts to log into website using OpenID.
1
Relying Party redirects user to IDP website for authentication.
2
Verification is returned and user redirected back to relying party website.
3
Au
then
ticatio
n
OpenID is enabled using free open source libraries. RPs and IDPs simply integrate the desired code into their sites.
Integration Integration
OpenID specifications are implemented on both Relying Party and Identity Provider servers using established open source libraries.
© 2011 Karthik Ethirajan, all rights reserved 9
OpenID Evolution OpenID Connect is the newly released version of OpenID. It contains several enhancements for easy integration and for enabling data attribution.
OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmit capability
OpenID Connect is built on top of Oauth 2.0 and JSON Web Token (JWT)
Accepts email as a valid OpenID format
A suite of lightweight specifications communicating identity via RESTful APIs
Supports protocol extension, data encryption & advanced session management
© 2011 Karthik Ethirajan, all rights reserved 10
Recommended Approach for OpenID
#1 Provision Access ID as OpenID Access ID will most likely be used for federation of identity
Decide on the OpenID formats to be supported
#2 Recommend implementing the newer version of OpenID, the OpenID Connect
We understand that OpenID is not well adopted today, but we feel that OpenID Connect has the major ingredients for high adoption
OpenID concept is blessed by NSTIC and gaining acceptance in government segment
Inclusion of Oauth 2.0 is aligned with CSO roadmap for tGuard
#3 Recommend consulting with Gigya on OpenID integration options
Gigya claims to support integration of OpenID for Relying Parties
We are already talking to Gigya for federating Access ID
Need to check if Gigya can help integrate OpenID APIs
© 2011 Karthik Ethirajan, all rights reserved 11
Relying Parties Accepting OpenID
APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 12
Comparison of OpenID Providers Following comparison provided by openidexplained.com
APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 13
Initial Creation of OpenID from ID Provider Below is the Yahoo implementation of OpenID provider. The tool is accessible to any Yahoo subscriber.
APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 14
Initial Login Page of Relying Party User is given a choice of ID Providers along with generic Open ID as login methods. For both authentication flows, the user is redirected to the Identity Provider.
User inputs generic OpenID URL as their login.
User selects Yahoo icon as OpenID login provider.
Login Using Generic OpenID URL Login Using Common ID Provider
APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 15
Authentication Page of Identity Provider
Once user is redirected to the identity provider’s authentication page, credentials are requested, verified, and upon successful authentication, the user is asked to consent to sharing of information.
Authentication Form Consent Screen
APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 16
Redirect to Relying Party Website
Once authentication has taken place, the user is redirected back to the relying party website for further process.
Account Creation Page of Relying Party Completed Account
APPENDIX
© 2011 Karthik Ethirajan, all rights reserved 17
User Profile Page of Relying Party Website
Note that the website was able to pull the users real name from the profile stored with the identity provider. However, the attributes tansferred are limited.
Completed User Profile
APPENDIX