Now that my OpenASelect server is running it's time to make it a bit more attractive and robust. Apart from creating flashy JSPs based on our corporate CSS style this means:
- Make the user URL as short as possible, something like
- Better yet, instead of the full User Principal Name (UPN) (which includes as a domain
@domain.com) I want users to be able to use
- Allow users to also use
firstname.lastname(without the domain) when they use
openid.domain.comas URL (the OAS server asks the user to enter both the user name and the password in that case)
- Secure the server with a certificate (our authentication is password based, after all)
The regular httpd server accepts connections on port 80 and proxies these to the Tomcat server which has an AJP connector on port 8009:
Clients can remain unaware of the fact that pages under
ProxyPassReverse /openaselect/ ajp://localhost:8009/openaselect/
ProxyPass /openaselect/ ajp://localhost:8009/openaselect/
openaselect/are actually served by the Tomcat server and not by the httpd server they are connected to. On top of that I used mod_rewrite to get prettier URLs:
The rewriting trick works well for omnidirectional identifiers in which the username is part of the OpenID URL. When the user merely enters
RewriteRule ^/([A-Za-z0-9]+\.[A-Za-z0-9]+)$ http://email@example.com [P,L]
http://openid.novay.nlat an RP and the actual OpenID URL is established through discovery things get a bit more complex. The rewriting needs to be done at a slightly deeper level. The configuration file links to Java classes for many of the sub-processes. In my
oa.xmlmost of these classes are standard Alfa & Ariss classes, for example I used a
StandardTranslatorinside the user provisioning process. I replaced the reference to this class with my own
SloppyUPNTranslatorso that users can leave out the domain part of their UPN. Deploying is done by adding the class to a jar file and dropping it inside the
WEB-INF. My translator simply wraps a
StandardTranslatorand overrides the
translate(String)method by adding a
"@novay.nl"to the argument before calling the wrapped translator.
Am I finished playing with OAS as OpenID provider? For now. But there are plenty of loose ends that I intend to investigate later on:
- Session identifiers when the user merely uses
https://openid.novay.nlwith an RP, the discovered URL can be used to track the user. I'd like to see if OAS can be tweaked to use a per-RP, or even per-session, pseudonym here.
- Other, innovative, authentication methods. Perhaps smart card based.
- Deploy OAS in Google App Engine. Not connected to our AD, of course. Just to see if it's possible: Looks like the server uses some threads, not sure if these are necessary.