In one of the previous posts, we explained SSO on the example of SAML.In this post, we will introduce another popular and widely deployed SSO Protocol: OpenID(if you are not familiar with SSO, we recommend you to read SSO on the example of SAML first).The OpenID protocol exists in different versions. While OpenID 1.0 and 1.1 are still supported and deployed in the WWW, most implementations concentrate on OpenID 2.0 – so does this post.
We use the following notation for a cleared parameter intent. If you have worked on OpenID before, you may be more familiar with the OpenID specific parameter values, so here is an overview:
|URL.IDC||openid.claimed_id||The identity requested by the Client C. In the context of OpenID, the identity is a URL e.g https://me.yahoo.com/a/identityname|
|URL.SP||openid.return_to||The URL of the Service Provider (SP), e.g. https://www.openstreetmap.org/login|
|URL.IdP||openid.op_endpoint||The URL of the Identity Provider (IdP), e.g. https://open.login.yahooapis.com/openid/op/auth|
|α||openid.assoc_handle||The value that identifies the signature verification key stored on the SP as well as on the IdP.|
|σ||openid.sig||This parameter contains the value of the token's signature. In fact, OpenID uses a Hash MAC (and not a signature), but has the OpenID specification uses the term “signature”, this Post will do this as well.|
There are a lot more parameters in OpenID:
- openid.ns defines the used protocol version, e.g. http://specs.openid.net/auth/2.0
- openid.response_nonce contains a timestamp suffixed with a nonce value
- openid.signed holds the parameter names that are signed, e.g. claimed_id, return_to,..
- openid.ax.*, openid.sreg.* are extension parameters that can be used to transfer additional information, e.g. an email address or a birthday.