.Nat Zone

Digital Identity et al.

How to Set Up OpenID on Your Own Domain with fallback proivder

      2010/11/11

Saw Gina Tripani’s followup post to Chriss Messina’s comments on This Week in Google.

http://smarterware.org/6286/how-to-set-up-openid-on-your-own-domain/

It is very good to hear that people turns out to like the “delegation[1]” feature.

In the article Gina says:

I’m not sure yet how to set Idproxy as my “fallback” provider just yet; if you know how to do that, post it up in the comments.

John Bradley posted a reply there, but the sanitization of the comment system seem to be eating up important portions and making it hard to use. So, here is my attempt to explain it.

How to set up OpenID for your domain with fallback provider

(1) Create an XRDS file like this:

<?xml version="1.0" encoding="UTF-8"?>
<xrds:XRDS xmlns:xrds="xri://$xrds" xmlns="xri://$xrd*($v*2.0)">
  <XRD>
    <CanonicalID>http://xri.net/=!E18C.3B56.889D.850B</CanonicalID>
    <Service priority="10">
      <Type>http://specs.openid.net/auth/2.0/signon</Type>
      <URI>https://authn.fullxri.com/authentication/</URI>
      <LocalID>http://xri.net/=!E18C.3B56.889D.850B</LocalID>
    </Service>
    <Service priority="20">
      <Type>http://specs.openid.net/auth/2.0/signon</Type>
      <URI>https://www.google.com/accounts/o8/ud?source=profiles</URI>
      <LocalID>http://www.google.com/profiles/sakimura</LocalID>
    </Service>
  </XRD>
</xrds:XRDS>

In it, each <Service> represent different authentication service.
In the above case, I am using Google as my failover authentication service (priority=”20″) and fullxri as the second service (priority=”10″) .

(2) Put the link to this file by inserting the following to the top page of your domain (You need to replace my domain to yours.

<meta http-equiv=”X-XRDS-Location” content=”http://www.sakimura.org/yadis.xml”></meta>

That’s all!

Unfortunately, not all RP libraries can to this failover. DotNetOpenAuth and JanRan’s library supports this feature.

[1] It is the delegation of the authentication service, not the delegation of your authorization decision.

 - identity , ,