Hello,
I'm just trying to get all information, spread out in different nodes and comments, together into one single post:
We implemented a OpenID single sign on solution for some of our clients (we call it Omniauth). It's based on Development Seeds great work on an OpenID Single Sign on solution for Drupal. Besides general improvement, instead of using feeds, foaf and PubSubHubbub to synchronize user information we used OpenID's own update_url (http://openid.net/specs/openid-attribute-exchange-1_0.html#fetch_request) and store_request (http://openid.net/specs/openid-attribute-exchange-1_0.html#store_request) to share user information between sites.
Omniauth includes the modules that are necessary, exported configuration into Features and installation profiles for both provider and relying parties.
I made a screencast to allow you to understand easier how to set up Omniauth and it's provided functionality at this moment: http://vimeo.com/xamanu/omniauth-drupal-openid-single-sign-on-solution
You can get the make files for Omniauth in our gitorious git repository:
http://gitorious.org/openid_sso/makefiles/blobs/raw/master/osso_provider_ax.make
http://gitorious.org/openid_sso/makefiles/blobs/raw/master/osso_relying_ax.make
There has been confusion about used modules and their purpose, especially because some (only slightly) differ from the Dev-Seeds proposal, f.e. through renaming...
Overview of used modules:
| Provider | Relying Party | Type | - |
|---|---|---|---|
| Openid Provider | Openid (Core) | Modules | Basic OpenID functionality |
| Openid Provider SSO | Openid Relying SSO | Modules | Basic Single-Sign-On functionality |
| Openid Provider AX | Openid Client AX | Modules | Attribute Exchange for user information sharing between sites |
| Openid Profile, Openid CP Field | Modules | Mapping AX attributes to (core and content) profile fields. Same on provider and relying party. | |
| Omniauth Provider | Omniauth Relying | Features | Omniauth special configuration |
| Omniauth | Omniauth Client | Profiles | Installation profiles for Omniauth |
| Omniauth Provider AX | Omniauth Relying AX | Make Files | These files declare all necessary modules that have to be assembled for the Omniauth setup |
Please use the respective issue queues of the modules named here to post any kind of specific request.
Random annotations:
* This is work in progress. Be aware that it is not ready for real production unless you really know what you are doing :-)
* Synchronization thought store request and update_url should give the user immediate response about the un-/successful synchronization. This solution is pretty much oriented to use the pure OpenID specs, but is not throughoutly solved in terms of scalability and security of the transfer of data. This is the reason why we don't allow synchronizing from client to openid-provider for really important data (user name and email); these can be changed on the provider side only.
* You can access with user id 1 on your relying party sites through http://your-relying-party.x/login/direct
This is just a write up so that more people can see the state of development here and hopefully might want to help. We really need more contributers - in any sense - to get this to a publishing worthy level. There is the outstanding Drupal 7 port of all modules, and actually codewise there has to be done a lot to get all these modules to a really good quality and to achieve a more generic approach.
I'm inviting everybody to check out the work and I'd be more than happy if this and OpenID in general could gain some momentum (again).
Cheers,
Felix
This work has been sponsored by Erdfisch (a great German Drupal Shop).
Comments
Sites and roles
Something worth documenting is the difference between authorising a user versus authorising a site or a role from a site. Can I authorise all users of example.com to access my site? This appears to be easy with most options. Can I authorise all users of example.com with role editor to access my site with the role of contributor? The attribute exchanges I have tried to use in the past do not translate to Drupal roles unless everyone is using Drupal and they all define exactly the same roles, something that happens only if all the sites in an exchange are sites that I control.
The reason I am looking for an open ID solution at this level is the need to differentiate between users, article contributors, and editors. If a person is accepted as an article contributor at example.com, they can write for some of my sites. example.com may not be based on Drupal or may be a different release of Drupal or may have different names for similar roles.
petermoulding.com/web_architect
I understand your needs. In
I understand your needs. In theory you could transfer any information through OpenID's attribute exchange. But I don't think that providing access information through OpenID would be a good thing: Since the sent information could easily being manipulated you probably don't want to set your roles based on what is coming in.
Either set permissions/roles individually on your relying sites or you'd have to look around for other solutions. Services module could help to develop some custom exchange of information, not sure if OAuth would work for this.
Some of us can't use Omniauth
Some of us can't use Omniauth because the site is already working, so I thought I could explain what do you need to set up this environment with the minimum possible modules. You'll be setting up two sites, the Provider (Server) and the Relying (Client), of course, there could be multiple Relying sites.
Edit: The openid_sso_relying and openid_sso_provider are now full projects.
Provider (Server)
http://drupal.org/project/openid_provider (at least 6.x-1.0-beta3)
http://drupal.org/project/xrds_simple
http://drupal.org/project/openid_provider_ax (Use dev version and add this patches)
Depending if you're using Content Profile or the Core Profiles you'll need one or the other:
http://drupal.org/project/openid_profile
http://drupal.org/project/openid_cp_field
Relying (Client)
http://drupal.org/project/openid_client_ax (Use dev version)
http://drupal.org/project/openid_sso_relying (Use git to clone it)
Depending if you're using Content Profile or the Core Profiles you'll need one or the other:
http://drupal.org/project/openid_profile
http://drupal.org/project/openid_cp_field
Luis
Still need patches?
Are these patches still valid or gone into modules? When I tried to apply the patches both seemed to have already been applied.
BTW -- can I assume all the modules in https://github.com/lelizondo/openprofiles would also get me there?
We will have a BoF at
We will have a BoF at Germany's Drupalcamp this weekend about this topic: http://drupalcity.de/session/openid-single-sign-solution-and-drupal
sso consultant
I am looking for a consultant to help implement this or the Development Seed approach for http://referendum.com and the related sites -- all based on Commons (D6).
Hopefully the result can become a recipe that others could use.
OpenID SSO Provider Registration - Email Verification
I am using openid_provider, openid_sso_provider, openid_sso_relying module for centralize login system for multiple website.
I have enable OpenID SSO Provider Registration for Custom registration email messages for different providers.
But the Available variables (in Email template for registration confirmation) are not working when user creating account. It is just showing [user:name], [user:one-time-login-url], [site:login-url], when a email for verification is reaching in the user mail box. I think it should show the actual user name, one time login URL, etc.
For information, I have enable module in openid provider -
OpenID Attribute Exchange API, OpenID Profile, Openid Provider, OpenID Provider Attribute Exchange, OpenID SSO Provider, OpenID SSO Provider Registration, OpenID SSO Provider Required Fields, OpenID SSO Provider Selections, XRDS Simple, Entity API, Entity tokens, Token, Chaos tools.
In openid client website, I have enable modules -
OpenID, Chaos tools, OpenID Attribute Exchange API, OpenID Client Attribute Exchange, OpenID Profile, OpenID Relying SSO.
Also a error is sometimes showing - Strict warning: Only variables should be passed by reference in theme_openid_provider_sites() (line 154 of /home/openid1/public_html/sites/all/modules/openid_provider/openid_provider.pages.inc).
So, what may be the wrong? Please help.
Regards,
Sandip Choudhury
www.UltraCorporatePixel.com
http://hostingultraso.com