OpenID Configuration

OpenID support in Jetspeed Portal is disabled by default since it typically needs to be configured for specific OpenID providers. To enable it, the OpenID support filter and servlet need to be setup in the portal web.xml configuration file and the OpenID login portlet needs to be made available in the portal landing page. To utilize OpenID single sign-on, (SSO), OpenID aware portlets can then be used to access information on other sites seamlessly.

Enabling the OpenID Filter and Servlet

The OpenIDPortalFilter and OpenIDRelayingPartyServlet are required to support OpenID with the portal. A sample setup is included in the portal web.xml configuration file. The servlet initialization parameters configure OpenID discovery, OpenID consumer implementation, and portal user registration. Some OpenID configuration found here can also be done in the OpenID login portlet if more than one set of configurations is needed.

          ...
          <filter>
            <filter-name>OpenIDPortalFilter</filter-name>
            <filter-class>org.apache.jetspeed.openid.filter.OpenIDPortalFilter</filter-class>
          </filter>
          ...
          <filter-mapping>
            <filter-name>OpenIDPortalFilter</filter-name>
            <url-pattern>/*</url-pattern>
          </filter-mapping>
          ...
          <servlet>
            <description>
              OpenID Relaying Party, (RP), servlet used to return discovery
              metadata at OpenID realm and to process authentication return
              requests.
            </description>
            <display-name>OpenID Relaying Party Servlet</display-name>
            <servlet-name>OpenIDRelayingPartyServlet</servlet-name>
            <servlet-class>org.apache.jetspeed.openid.OpenIDRelayingPartyServlet</servlet-class>
            <init-param>
              <description>Discovery domain to provider URL/host mapping.</description>
              <param-name>discovery.gmail.com</param-name>
              <param-value>https://www.google.com/accounts/o8/id</param-value>
            </init-param>
            <init-param>
              <description>Enable servlet init parameter registration configuration.</description>
              <param-name>enableRegistrationConfig</param-name>
              <param-value>false</param-value>
            </init-param>
            <init-param>
              <description>Enable new user registration.</description>
              <param-name>enableRegistration</param-name>
              <param-value>true</param-value>
            </init-param>
            <init-param>
              <description>Global new user template directory to be used for registration.</description>
              <param-name>newUserTemplateDirectory</param-name>
              <param-value>/_template/new-user/</param-value>
            </init-param>
            <init-param>
              <description>Global subsite root folder to be used for registration.</description>
              <param-name>subsiteRootFolder</param-name>
              <param-value></param-value>
            </init-param>
            <init-param>
              <description>Global roles to be assigned at registration.</description>
              <param-name>roles</param-name>
              <param-value>user</param-value>
            </init-param>
            <init-param>
              <description>Global groups to be assigned at registration.</description>
              <param-name>groups</param-name>
              <param-value></param-value>
            </init-param>
            <init-param>
              <description>Global profiling rule names to be assigned at registration.</description>
              <param-name>rulesNames</param-name>
              <param-value>page</param-value>
            </init-param>
            <init-param>
              <description>Global profiling rule values to be assigned at registration.</description>
              <param-name>rulesValues</param-name>
              <param-value>j2</param-value>
            </init-param>
            <load-on-startup>2</load-on-startup>
          </servlet>
          ...
          <servlet-mapping>
            <servlet-name>OpenIDRelayingPartyServlet</servlet-name>
            <url-pattern>/openid</url-pattern>
            <url-pattern>/openid/*</url-pattern>
          </servlet-mapping>
          ...
        

The following initialization parameters can be used to configure the OpenIDRelayingPartyServlet:

Parameter Description
discovery.* Discovery domain to provider URL/host mapping. A supported OpenID domain is appended to property name prefix and the mapped domain or URL is set for the domain with the property. This property is only necessary if a non-standard OpenID provider URL is used, (e.g. Google), or a domain alias mapping is necessary. Examples: discovery.gmail.com = https://www.google.com/accounts/o8/id or discovery.anotherdomain.com = mydomain.com
consumer.* Discovery domain to consumer implementation mapping. A supported OpenID domain is appended to property name prefix and the mapped consumer implementation name, ('step2' or 'openid4java'), is set for the domain with the property. This property is only necessary to specify the Google Step2 library implementation used for Google hosted OpenID domains, (OpenID4Java is the default implementation). Example: consumer.mydomain.com = step2.
enableRegistrationConfig Enable servlet init parameter registration configuration. If this flag is not set, registration configurations in individual OpenID login portlet instances is used and these are ignored.
enableRegistration Enable new user registration.
newUserTemplateDirectory Global new user template directory to be used for registration.
subsiteRootFolder Global subsite root folder to be used for registration.
roles Global roles to be assigned at registration.
groups Global groups to be assigned at registration.
rulesNames Global profiling rule names to be assigned at registration.
rulesValues Global profiling rule values to be assigned at registration.

The user's OpenID email address associated with their OpenId login is used as the username in the portal. Whenever the user is authenticated by the OpenID login portlet and OpenIDRelayingPartyServlet, the following OpenID attribute exchange and/or simple registration data is synchronized with portal user attributes:

OpenId Data Portal User Attribute
attribute: http://axschema.org/contact/email
simple registration: email
user.business-info.online.email
attribute: http://axschema.org/namePerson
simple registration: fullname
user.name
attribute: http://axschema.org/namePerson/last
simple registration: n/a
user.name.family
attribute: http://axschema.org/namePerson/first
simple registration: n/a
user.name.given
attribute:http://axschema.org/namePerson/friendly
simple registration: nickname
user.name.nickName

In addition to providing OpenID authentication services, the OpenIDRelayingPartyServlet also serves OpenID Relaying Party metadata. The metadata endpoint allows the OpenID provider to validate the portal as a legitimate OpenID client. The URI associated with the metadata is computed from the metadata request itself, (e.g. http[s]://portal.mydomain.com/jetspeed/openid).

Using OpenID Portlets

The OpenIDLoginPortlet is required to support portal OpenID logins. By default, this portlet is configured to support login buttons for Google, Yahoo!, and myOpenID providers with an OpenID entry field where users can enter OpenID URLs or provider domains. New user registration is also enabled by default, (as mentioned above, the new user's OpenID email address is used as the portal user id). These and new user registration properties can be configured as portlet parameters and preferences.

Once the end user is logged in, the OpenIDLoginPortlet displays the logged in user id and allows the user to logout.

The following configuration parameters and preferences are supported by the OpenIDLoginPortlet:

Parameter/Preference Name Default Description
providerLabels Gmail, Yahoo!, myOpenID Display names for OpenID provider buttons.
providerDomains gmail.com, yahoo.com, myopenid.com Domain names for OpenID provider buttons.
enableOpenIDEntry true Enable OpenID provider or URL entry.
enableRegistrationConfig false Enable portlet init parameter registration configuration.
enableRegistration true Global enable new user registration.
newUserTemplateDirectory /_template/new-user/ Global new user template directory to be used for registration.
subsiteRootFolder none Global subsite root folder to be used for registration.
roles user Global roles to be assigned at registration.
groups none Global groups to be assigned at registration.
rulesNames page Global profiling rule names to be assigned at registration.
rulesValues j2 Global profiling rule values to be assigned at registration.

When a portal user is authenticated using the OpenIDLoginPortlet, a session attribute that contains the login domain is set. This session attribute, (PortalReservedParameters.SESSION_OPEN_ID_PROVIDER), can be checked by other portlets to ensure the user is logged in before referencing protected resources. The OpenIDIFramePortlet uses this technique to check an OpenID login domain before including a protected web page. The following configuration preference is supported by the OpenIDIFramePortlet in addition to the IFramePortlet preferences:

Preference Name Default Description
REQUIREDOPENIDPROVIDERLABEL none Required OpenID provider label.
REQUIREDOPENIDPROVIDER none Required OpenID provider domain.

The OpenIDIFramePortlet is often used when the portal uses a single specific OpenID provider to protect enterprise assets. Both the OpenIDLoginPortlet and the OpenIDIFramePortlet can be configured accordingly.

OpenIDLoginPortlet:

  • providerLabels = MyDomain
  • providerDomains = mydomain.com
  • enableOpenIDEntry = false

OpenIDIFramePortlet:

  • SRC = http://www.mydomain.com/...
  • REQUIREDOPENIDPROVIDERLABEL = MyDomain
  • REQUIREDOPENIDPROVIDER = mydomain.com

The portlet configuration above will appear like this when the user is not logged in.

After logging in, the user will be able to see the protected content in the portal page.