OpenID

OpenID

This feature enables web applications to integrate OpenID 2.0 for authenticating users instead of, or in addition to, the configured user registry.

Enable this feature

To enable the OpenID feature, add the following element declaration inside the featureManager element in the server.xml file:
<feature>openid-2.0</feature>

Developing a feature that depends on this feature

If we are developing a feature that depends on the OpenID feature, include the following item in the Subsystem-Content header in the feature manifest file for the new feature:
com.ibm.websphere.appserver.openid-2.0; type="osgi.subsystem.feature"

Features that this feature enables

Application Security 2.0

Feature configuration elements

We can use the following elements in the server.xml file to configure the OpenID feature:

openId

userInfo

userInfo

openId

OpenId authentication.

Attribute name Data type Default value Description
authenticationMode

checkid_immediate

checkid_setup

checkid_setup The OpenID provider authentication mode either checkid_immediate or checkid_setup. checkid_setup is the default authentication mode.

checkid_immediate

The checkid_immediate disables the browser interact with the user.

checkid_setup

The checkid_setup enables the openID provider to interact with the user, to request authentication or self-registration before returning a result to the openId relying party.

hashAlgorithm

SHA256

SHA1

SHA256 The hash algorithm used to sign and encrypt the OpenID provider response parameters.

SHA256

Secure hash algorithm SHA256

SHA1

Secure hash algorithm SHA1

hostNameVerificationEnabled boolean true Whether enable host name verification or not.
httpsRequired boolean true Require SSL communication between the OpenID relying party and provider service.
mapIdentityToRegistryUser boolean false Whether to map identity to registry user. The user registry is not used to create the user subject.
realmIdentifier string Attribute for the OpenID provider name.
sslRef string Specifies an ID of the SSL configuration is used to connect to the OpenID provider.
useClientIdentity boolean false Whether to use the client OpenID identity to create a user subject. If set to true, only the OpenID client identity is used. If set to false and the first element of userInfoRef is found, we use it to create a user subject. Otherwise, we use the OpenID identity to create a user subject.
userInfoRef List of references to top level userInfo elements (comma-separated string). email Specifies a list of userInfo references separated by commas for the OpenID provider to include in the response.

openId > userInfo

Description: Specifies a list of userInfo references separated by commas for the OpenID provider to include in the response.

Required: false

Data type:

Attribute name Data type Default value Description
alias string email Specifies an alias name.
count int
Minimum: 1
1 Specifies how much userInfo is included in the response of the openID provider.
required boolean true Whether user information is required or not.
uriType string http://axschema.org/contact/email Specifies a URI type.

userInfo

User information included in the response of the openID provider.

Attribute name Data type Default value Description
alias string email Specifies an alias name.
count int
Minimum: 1
1 Specifies how much userInfo is included in the response of the openID provider.
id string A unique configuration ID.
required boolean true Whether user information is required or not.
uriType string http://axschema.org/contact/email Specifies a URI type.

Attribute name	Data type	Default value	Description
authenticationMode	checkid_immediate checkid_setup	checkid_setup	The OpenID provider authentication mode either checkid_immediate or checkid_setup. checkid_setup is the default authentication mode. checkid_immediate The checkid_immediate disables the browser interact with the user. checkid_setup The checkid_setup enables the openID provider to interact with the user, to request authentication or self-registration before returning a result to the openId relying party.
hashAlgorithm	SHA256 SHA1	SHA256	The hash algorithm used to sign and encrypt the OpenID provider response parameters. SHA256 Secure hash algorithm SHA256 SHA1 Secure hash algorithm SHA1
hostNameVerificationEnabled	boolean	true	Whether enable host name verification or not.
httpsRequired	boolean	true	Require SSL communication between the OpenID relying party and provider service.
mapIdentityToRegistryUser	boolean	false	Whether to map identity to registry user. The user registry is not used to create the user subject.
realmIdentifier	string		Attribute for the OpenID provider name.
sslRef	string		Specifies an ID of the SSL configuration is used to connect to the OpenID provider.
useClientIdentity	boolean	false	Whether to use the client OpenID identity to create a user subject. If set to true, only the OpenID client identity is used. If set to false and the first element of userInfoRef is found, we use it to create a user subject. Otherwise, we use the OpenID identity to create a user subject.
userInfoRef	List of references to top level userInfo elements (comma-separated string).	email	Specifies a list of userInfo references separated by commas for the OpenID provider to include in the response.

Attribute name	Data type	Default value	Description
alias	string	email	Specifies an alias name.
count	int Minimum: 1	1	Specifies how much userInfo is included in the response of the openID provider.
required	boolean	true	Whether user information is required or not.
uriType	string	http://axschema.org/contact/email	Specifies a URI type.