Open ID Explained

© 2011 Karthik Ethirajan, all rights reserved

OpenID Explained Karthik Ethirajan October 2011

//upload.wikimedia.org/wikipedia/en/c/c8/OpenID_logo.svg

© 2011 Karthik Ethirajan, all rights reserved 2

Agenda

1. Executive Overview

2. What is OpenID ?

3. OpenID Identity Providers

4. OpenID Relying Parties

5. OpenID Adoption

6. OpenID Implementation & Login Flow

7. OpenID Evolution

8. Recommended Approach for OpenID

9. Appendix – Registration Flow


Executive Overview

Decentralized mechanism for single sign-on No one Identity Provider controls the Open ID ecosystem. Anyone can offer / accept OpenID using the published specs and sample libraries.

No fees to enable OpenID OpenID is an open source project and hence there are no license fees to Identity Providers or Relying Parties.

Join the big boys club Google, Yahoo, Facebook, Microsoft, PayPal, others are foundation members. OpenID is widely adopted from the Identity Providers side giving 1B+ users an OpenID ready to use.

Lackluster adoption by Relying Parties Only about 50,000 sites have adopted OpenID


What is OpenID ? OpenID leverages existing user accounts from well-known Identity Providers to log into Relying Party websites. It echoes the single Sign-on concept but without the need for the user to establish yet another ID.

OpenID could be an URL or an email address

Open ID enables dynamic discovery of Identity Provider by embedding their domain information as part of OpenID

The user account name/ID with Identity Provider is reformatted to be OpenID compliant


OpenID Identity Providers

Well adopted, but less publicized Although Identity Providers such as Google and Facebook have provided guidance to the standard (potentially as a hedge), they offer competing products and seek to maintain their dominance of the IDP market.

Providers reluctant to accept OpenID The providers are strong proponents of OpenID. However, they are much less enthusiastic when it comes to accepting one for their websites.

Examples of OpenID Format

Google: https://www.google.com/accounts/o8/id AOL: openid.aol.com/username Yahoo: me.yahoo.com MySpace: myspace.com/username Blogger: username.blogger.com Verisign: username.pip.verisignlabs.com Orange: openid.orange.fr LiveJournal: username.livejournal.com


OpenID Relying Parties

Source: openiddirectory.com

No real incentive for adoption Current version of OpenID offers limited support for user attribute transfer

User experience has not been exceptional OpenID has failed to deliver on several of the issues which it aims to solve

Well suited for long tail websites OpenID is the only viable option to participating in the federation of identity

Examples of OpenID Login


OpenID Adoption

Relying Party Adoption

• Majority of large Identity Providers such as Google, Yahoo, Microsoft provide OpenIDs

• Potential gains in marketing and thought leadership are significant if the user community decides to adopt.

• Major Identity Providers are also OpenID Foundation members

• Current OpenID implementation is cumbersome for developers and users (integration is not smooth, long URL for users to remember).

• Data attribute function very limited in first iteration, leaving little incentive for relying parties to adopt the standard over other federation methods.

More than 1 Billion OpenID enabled user

accounts

Over 50K sites currently accept OpenID for login

Identity Provider Adoption

Factors Influencing Adoption Statistics

Source: openid.net, http://upon2020.com

OpenID adoption differs significantly between Identity Providers and Relying Parties. For large identity providers, potential gains outweigh costs. For relying parties, lack of attribution, complexity of integration, and poor user experience hinder more widespread adoption.


OpenID Implementation & Login Flow

Relying Party (OpenID

Consumer)

Identity Provider

(Authentication Server)

OpenID APIs from openid.net

User attempts to log into website using OpenID.

1

Relying Party redirects user to IDP website for authentication.

2

Verification is returned and user redirected back to relying party website.

3

Au

then

ticatio

n

OpenID is enabled using free open source libraries. RPs and IDPs simply integrate the desired code into their sites.

Integration Integration

OpenID specifications are implemented on both Relying Party and Identity Provider servers using established open source libraries.


OpenID Evolution OpenID Connect is the newly released version of OpenID. It contains several enhancements for easy integration and for enabling data attribution.

OpenID Connect is an identity framework that provides authentication, authorization, and attribute transmit capability

OpenID Connect is built on top of Oauth 2.0 and JSON Web Token (JWT)

Accepts email as a valid OpenID format

A suite of lightweight specifications communicating identity via RESTful APIs

Supports protocol extension, data encryption & advanced session management


Recommended Approach for OpenID

#1 Provision Access ID as OpenID Access ID will most likely be used for federation of identity

Decide on the OpenID formats to be supported

#2 Recommend implementing the newer version of OpenID, the OpenID Connect

We understand that OpenID is not well adopted today, but we feel that OpenID Connect has the major ingredients for high adoption

OpenID concept is blessed by NSTIC and gaining acceptance in government segment

Inclusion of Oauth 2.0 is aligned with CSO roadmap for tGuard

#3 Recommend consulting with Gigya on OpenID integration options

Gigya claims to support integration of OpenID for Relying Parties

We are already talking to Gigya for federating Access ID

Need to check if Gigya can help integrate OpenID APIs


Relying Parties Accepting OpenID

APPENDIX


Comparison of OpenID Providers Following comparison provided by openidexplained.com

APPENDIX


Initial Creation of OpenID from ID Provider Below is the Yahoo implementation of OpenID provider. The tool is accessible to any Yahoo subscriber.

APPENDIX


Initial Login Page of Relying Party User is given a choice of ID Providers along with generic Open ID as login methods. For both authentication flows, the user is redirected to the Identity Provider.

User inputs generic OpenID URL as their login.

User selects Yahoo icon as OpenID login provider.

Login Using Generic OpenID URL Login Using Common ID Provider

APPENDIX


Authentication Page of Identity Provider

Once user is redirected to the identity provider’s authentication page, credentials are requested, verified, and upon successful authentication, the user is asked to consent to sharing of information.

Authentication Form Consent Screen

APPENDIX


Redirect to Relying Party Website

Once authentication has taken place, the user is redirected back to the relying party website for further process.

Account Creation Page of Relying Party Completed Account

APPENDIX


User Profile Page of Relying Party Website

Note that the website was able to pull the users real name from the profile stored with the identity provider. However, the attributes tansferred are limited.

Completed User Profile

APPENDIX

Open ID Explained

Documents

Transcript of Open ID Explained