OpenID 2.0
One of the main improvements of OpenASelect over A-Select 1.5 is the integration of the OpenID authentication protocol.
What is OpenID?
OpenID is a distributed authentication system. It allows users to sign in at OpenID enabled web applications, using a URI as their user identifier. Because the OpenID standard is open the supporting foundation promotes open source software and open protocols, it fits well within the OpenASelect context from a business model point of view.
OpenID Integration in OpenASelect
OpenASelect has an OpenID profile, enabling it to perform the authentication process that is initialized by OpenID. With the OpenID profile switched on, registered users are automatically assigned an OpenID which they can use to sign in at OpenID-enabled service providers (OpenID consumers).
All of the benefits that OpenASelect core functionality brings with it are also useful in the OpenID use case; Single sign-on, attribute release policies, pre-authorization and authentication profiles are all available and can be tailored to fit the Identity Provider needs.
OpenID Flow
- The user requests a resource that demands registration;
- The consumer requests for the user's OpenID;
- The user enters her OpenID;
- Based on the OpenID, the consumer performs discovery. If all information is retrieved, the consumer and OpenASelect server agree on a form of trust relation;
- The consumer sends the user to the OpenASelect server, via a redirect;
- The user requests authentication;
- If the user does not already have an SSO session, the user authenticates at the OpenASelect server (details omitted);
- After authentication, the user can indicate whether to trust the consumer and which attributes (nickname, e-mail address, etc.) she wants to disclose;
- The OpenASelect server sends the user back to the consumer, with a redirect containing all the aforementioned information;
- The user requests the resource, with the information in the request;
- The consumer can now disclose the personalized page to the user and assigns the user a session with the trusted OpenID (further registration details at the consumer are omitted).
Specifications
OpenASelect supports OpenID authentication 2.0 (and thereby implicitly OpenID authentication 1.1), which is extended by the OpenID Simple Registration Extension (1.0 and 1.1) and the OpenID Attribute Exchange Extension.