setting up Azure to talk to openlink OP


By default, Azure STS do not come with metadata pointing at openlink’s openid endpoint.

image

To make a realty site talk to the openlink’s openid auth endpoint as an IDP (and as an authentication authority to a downstream IDP bridge) make the Azure bridge discover the new OP. To do this, it must read the XRDS file. We learn the location of the file by simply looking at the metadata for a particular openid identifier:

image

For this user (and probably all others), the XRDS is at http://id.myopenlink.net/openid-proxy/id.vsp?xrds. It is pretty simple, and unlike the HTML metadata is not specific to a given user.

image

note how the type is http://specs.openid.net/auth/2.0/signon

Should it be http://specs.openid.net/auth/2.0/server ?

Let’s now try to use the XRDS locator in a formal discovery process:

image

We see that, given an openid identifier, the code finds the relocator:

image

We then see the client reading the XML stream, and parsing it (rather manually):

 

image

However, the code is structured to test the metadata for v2:

image

Thus the discovery fails, since v2 is required (and the site does not claim to be v2).

Let’s try to fix it by assuming its v2 (and assume there was just a typo in the XRD):

image

This allows to get to:

image

Stands a change of working, end to end, now! Now, I bind to to an account linking server (classical SAML1) which pops up the local logon challenge of the IDP bridge, before tying the name claim to the local account on the bridge.

image

To map the name all the way through the STS we do:

image

image

The net result is:

image

and then

image

and then

image

and then another easy fix for issues on the return leg:

image 

Well done Kingsley (and openlink team).

About these ads

About home_pw@msn.com

http://yorkporc.wordpress.com/about-2/
This entry was posted in webid. Bookmark the permalink.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s