You can configure a Liberty server to function as an OpenID Relying Party to take
advantage of web single-sign-on.
Before you begin
You must have at least one OpenID Provider (OP) that is
trusted with authenticating users. Several third-party OpenID Providers
are available.
About this task
You can have users authenticated with an OpenID Provider by enabling the
openid-2.0 feature in Liberty, and in addition to other optional configuration
information.
Procedure
- Add the openid-2.0 Liberty feature to
the server.xml file. Add the following
element declaration inside the featureManager element
in your server.xml file:
<feature>openid-2.0</feature>
Update the server.xml file
with the OpenID Relying Party configuration options that are specified
by an <openId> element. You can
either predefine an OpenID provider URL in your server.xml file
by using the providerIdentifier attribute of
the <openId> element, or you can package your
application with FormLogin which gives users an option
to submit an OpenID provider URL to use for authentication.
If the providerIdentifier attribute is added to the
server.xml file, the Liberty server will automatically redirect users to the
OpenID provider specified by that attribute. If the providerIdentifier
attribute is not defined in the server.xml file, the Liberty server will first
send a login form to ask the user to select or confirm an OpenID provider prior to redirecting the
user to the OpenID provider.
The following is a sample OpenID configuration
that defines an OpenID provider:
<openId id="myOpenId" providerIdentifier="https://openid.acme.com/op" userInfoRef="email">
<userInfo id="email" alias="email" uriType="http://axschema.org/contact/email" count="1" required="true" />
</openId>
Adding the openid-2.0 feature
automatically enforces a certain minimum configuration. Consequently,
there is no <openId> element that is required
to be explicitly specified in the server.xml file.
Without an <openId> element that is specified,
the following configuration is implicit:
<openId id="myOpenId" userInfoRef="email">
<userInfo id="email" alias="email" uriType="http://axschema.org/contact/email" count="1" required="true" />
</openId>
By default, the user's email address
that is returned from the OpenID Provider is used for identity assertion
and subject creation.
- Configure the server's truststore to include the signer certificates of the OpenID Providers
that are supported. For information about keystores, see Enabling SSL communication for Liberty.
- Extract the signer certificate from the OpenID Provider. Most major web browsers provide
support for extracting or exporting certificates from websites through the browser interface.
- Import the OpenID Provider certificate to the server's truststore. For one method of importing
certificates into a truststore, see the -import flag capabilities of the
keytool utility that is found in your Java™
installation directory.
- Use the sslRef attribute of the <openId> element to
point to your SSL configuration. If no sslRef attribute is specified, the default
SSL configuration described in the keystore page mentioned previously will be used. Your SSL
configuration should include the appropriate references to the truststore containing the imported
OpenID Provider certificates.
- Optional: Configure the Authentication Filter.
If
the providerIdentifier attribute is configured inside
the openId element in the server.xml file,
you can configure authFilterRef to limit the requests
that should be intercepted by the OpenID provider defined by the providerIdentifier attribute.
For
more information on configuring the authentication filter, see 
Authentication Filters.