Configuring an OpenID Relying Party in Liberty

You can configure a Liberty server to function as an OpenID Relying Party to take advantage of web single-sign-on.

Stabilized feature: The openid-2.0 feature is stabilized. You can continue to use the openid-2.0 feature in Liberty. However, consider using the openidConnectClient-1.0 feature. For more information, see Configuring an OpenID Connect Client in Liberty.

Before you begin

You must have at least one OpenID Provider (OP) that is trusted with authenticating users. Several third-party OpenID Providers are available.

About this task

You can have users authenticated with an OpenID Provider by enabling the openid-2.0 feature in Liberty, and in addition to other optional configuration information.

Procedure

Add the openid-2.0 Liberty feature to the server.xml file.
Add the following element declaration inside the featureManager element in your server.xml file:
```
<feature>openid-2.0</feature>
```
Update the server.xml file with the OpenID Relying Party configuration options that are specified by an <openId> element.
For a description of configuration options for the <openId> element, see OpenID.

You can either predefine an OpenID provider URL in your server.xml file by using the providerIdentifier attribute of the <openId> element, or you can package your application with FormLogin which gives users an option to submit an OpenID provider URL to use for authentication.

If the providerIdentifier attribute is added to the server.xml file, the Liberty server will automatically redirect users to the OpenID provider specified by that attribute. If the providerIdentifier attribute is not defined in the server.xml file, the Liberty server will first send a login form to ask the user to select or confirm an OpenID provider prior to redirecting the user to the OpenID provider.

The following is a sample OpenID configuration that defines an OpenID provider:
```
<openId id="myOpenId" providerIdentifier="https://openid.acme.com/op" userInfoRef="email">
  <userInfo id="email" alias="email" uriType="http://axschema.org/contact/email" count="1" required="true" />
</openId>
```
Adding the openid-2.0 feature automatically enforces a certain minimum configuration. Consequently, there is no <openId> element that is required to be explicitly specified in the server.xml file. Without an <openId> element that is specified, the following configuration is implicit:
```
<openId id="myOpenId" userInfoRef="email">
  <userInfo id="email" alias="email" uriType="http://axschema.org/contact/email" count="1" required="true" />
</openId>
```
By default, the user's email address that is returned from the OpenID Provider is used for identity assertion and subject creation.
Configure the server's truststore to include the signer certificates of the OpenID Providers that are supported. For information about keystores, see Enabling SSL communication in Liberty.
1. Extract the signer certificate from the OpenID Provider. Most major web browsers provide support for extracting or exporting certificates from websites through the browser interface.
2. Import the OpenID Provider certificate to the server's truststore. For one method of importing certificates into a truststore, see the -import flag capabilities of the keytool utility that is found in your Java™ installation directory.
3. Use the sslRef attribute of the <openId> element to point to your SSL configuration. If no sslRef attribute is specified, the default SSL configuration described in the keystore page mentioned previously will be used. Your SSL configuration must include the appropriate references to the truststore containing the imported OpenID Provider certificates.
Optional: Configure the Authentication Filter.

If the providerIdentifier attribute is configured inside the openId element in the server.xml file, you can configure authFilterRef to limit the requests that should be intercepted by the OpenID provider defined by the providerIdentifier attribute.

For more information on configuring the authentication filter, see Authentication Filters.