Today we just added support in our OpenID extension (note to myself: this page needs a serious update…) for another OpenID 2.0 feature: realm & RP validation.
As described in the OpenID 2.0 specification, it is important for an IdP (sorry I mean an OP in OpenID parlance) to verify that the Relying Party (RP) return_to URL (that is the endpoint the browser will be redirected to once authentication has happened at the OP) is indeed an OpenID endpoint. The OP should also verify that this return_to URL is within the realm of the RP. This validation is done by having the OP perform a Yadis-based discovery of the RP (see here for more details).
The OpenID4java library, upon which is built our extension, already supports this validation. To leverage this feature in your OpenSSO deployment, you’ll have to do the following (I’m assuming you already have deployed the OpenID extension; if not, see this post):
- Create an XRDS document that you’ll host at the RP site.This file describes the RP endpoint and will be retrieved by the OP. At a minimum the file contains one service description with one endpoint (your return_to URL). To folllow up on the deployment I described in previous posts, my XRDS document (I named it yadis.xml) contains the following information:
<?xml version="1.0" encoding="UTF-8"?> <xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)" xmlns:openid="http://openid.net/xmlns/1.0"> <XRD> <Service xlmns="xri://$xrd*($v*2.0)"> <Type>http://specs.openid.net/auth/2.0/return_to</Type> <URI>http://opensso.example.com:49723/consumer-servlet</URI> </Service> </XRD> </xrds:XRDS>
- In the Provider.properties file (see previous post) add the following property: openid.provider.enforcerpid=true (or false if you don’t want it…)
That’s it; now when your RP makes an authentication request, the OP will validate the RP’s endpoint.
January 17, 2010 at 22:15
Hey Hubert,
A typo and some invalid syntax in the above yadis.xml (end tag name wrong, and ns declaration not allowed in service tag)
Here’s what worked for me:
<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)"
xmlns:openid="http://openid.net/xmlns/1.0">
<XRD>
<Service>
<Type>http://specs.openid.net/auth/2.0/return_to</Type>
<URI>http://opensso.example.com:49723/consumer-servlet</URI>
</Service>
</XRD>
</xrds:XRDS>
Thanks.
Susan
January 18, 2010 at 00:20
Thanks Susan
That’s my punishment for typing code instead of cutting-pasting it. I’ve fixed the typos (another issue is formatting the text so that parts of it don’t get hidden…).
Hubert
April 7, 2010 at 21:22
Newbie question: How do you host the XRDS document at the RP.
April 16, 2010 at 21:47
Hello Anil,
The way we do it in our test is to have a yadis.xml file served by the RP site, directly at the root (/) level.
Hubert