OpenID is a decentralized authentication protocol that allows users to log into third-party websites using their existing account credentials from major identity providers like Google, Yahoo, and Facebook. While many large identity providers support OpenID, adoption among relying parties has been limited due to complexity of integration and a poor user experience. The newer OpenID Connect standard aims to address these issues through enhancements like support for user attribute sharing and compatibility with OAuth 2.0 and JSON Web Tokens. The document recommends implementing OpenID Connect and consulting Gigya to help with integration.

1. © 2011 Karthik Ethirajan, all rights reserved
OpenID Explained
Karthik Ethirajan
October 2011

2. © 2011 Karthik Ethirajan, all rights reserved
2
Agenda
1. Executive Overview
2. What is OpenID ?
3. OpenID Identity Providers
4. OpenID Relying Parties
5. OpenID Adoption
6. OpenID Implementation & Login Flow
7. OpenID Evolution
8. Recommended Approach for OpenID
9. Appendix – Registration Flow

3. © 2011 Karthik Ethirajan, all rights reserved
3
Executive Overview
Decentralized mechanism for single sign-on
No one Identity Provider controls the Open ID ecosystem. Anyone can offer / accept
OpenID using the published specs and sample libraries.
No fees to enable OpenID
OpenID is an open source project and hence there are no license fees to Identity
Providers or Relying Parties.
Join the big boys club
Google, Yahoo, Facebook, Microsoft, PayPal, others are foundation members. OpenID
is widely adopted from the Identity Providers side giving 1B+ users an OpenID ready
to use.
Lackluster adoption by Relying Parties
Only about 50,000 sites have adopted OpenID

4. © 2011 Karthik Ethirajan, all rights reserved
4
What is OpenID ?
OpenID leverages existing user accounts from well-known Identity Providers to
log into Relying Party websites. It echoes the single Sign-on concept but
without the need for the user to establish yet another ID.
 OpenID could be an URL
or an email address
 Open ID enables
dynamic discovery of
Identity Provider by
embedding their domain
information as part of
OpenID
 The user account
name/ID with Identity
Provider is reformatted
to be OpenID compliant

5. © 2011 Karthik Ethirajan, all rights reserved
5
OpenID Identity Providers
Well adopted, but less publicized
Although Identity Providers such as Google and
Facebook have provided guidance to the standard
(potentially as a hedge), they offer competing products
and seek to maintain their dominance of the IDP
market.
Providers reluctant to accept OpenID
The providers are strong proponents of OpenID.
However, they are much less enthusiastic when it
comes to accepting one for their websites.
Examples of OpenID Format
Google: https://www.google.com/accounts/o8/id
AOL: openid.aol.com/username
Yahoo: me.yahoo.com
MySpace: myspace.com/username
Blogger: username.blogger.com
Verisign: username.pip.verisignlabs.com
Orange: openid.orange.fr
LiveJournal: username.livejournal.com

6. © 2011 Karthik Ethirajan, all rights reserved
6
OpenID Relying Parties
Source: openiddirectory.com
No real incentive for adoption
Current version of OpenID offers limited support for
user attribute transfer
User experience has not been exceptional
OpenID has failed to deliver on several of the issues
which it aims to solve
Well suited for long tail websites
OpenID is the only viable option to participating in the
federation of identity
Examples of OpenID Login

7. © 2011 Karthik Ethirajan, all rights reserved
7
OpenID Adoption
Relying
Party
Adoption
• Majority of large Identity Providers such as
Google, Yahoo, Microsoft provide OpenIDs
• Potential gains in marketing and thought
leadership are significant if the user
community decides to adopt.
• Major Identity Providers are also OpenID
Foundation members
• Current OpenID implementation is
cumbersome for developers and users
(integration is not smooth, long URL for
users to remember).
• Data attribute function very limited in first
iteration, leaving little incentive for relying
parties to adopt the standard over other
federation methods.
More than 1
Billion OpenID
enabled user
accounts
Over 50K sites
currently accept
OpenID for login
Identity
Provider
Adoption
Factors Influencing Adoption Statistics
Source: openid.net, http://upon2020.com
OpenID adoption differs significantly between Identity Providers and Relying Parties. For
large identity providers, potential gains outweigh costs. For relying parties, lack of
attribution, complexity of integration, and poor user experience hinder more widespread
adoption.

8. © 2011 Karthik Ethirajan, all rights reserved
8
OpenID Implementation & Login Flow
Relying Party
(OpenID
Consumer)
Identity
Provider
(Authentication
Server)
OpenID
APIs from
openid.net
User attempts to
log into website
using OpenID.
1
Relying Party redirects
user to IDP website for
authentication.
2
Verification is returned
and user redirected back
to relying party website.
3
Authentication
OpenID is enabled using free open
source libraries. RPs and IDPs
simply integrate the desired code
into their sites.
Integration Integration
OpenID specifications are implemented on both Relying Party and Identity
Provider servers using established open source libraries.

9. © 2011 Karthik Ethirajan, all rights reserved
9
OpenID Evolution
OpenID Connect is the newly released version of OpenID. It contains several
enhancements for easy integration and for enabling data attribution.
 OpenID Connect is an identity
framework that provides
authentication, authorization,
and attribute transmit
capability
 OpenID Connect is built on
top of Oauth 2.0 and JSON
Web Token (JWT)
 Accepts email as a valid
OpenID format
 A suite of lightweight
specifications communicating
identity via RESTful APIs
 Supports protocol extension,
data encryption & advanced
session management

10. © 2011 Karthik Ethirajan, all rights reserved
10
Recommended Approach for OpenID
#1 Provision Access ID as OpenID
 Access ID will most likely be used for federation of identity
 Decide on the OpenID formats to be supported
#2 Recommend implementing the newer version of OpenID, the
OpenID Connect
 We understand that OpenID is not well adopted today, but we feel that
OpenID Connect has the major ingredients for high adoption
 OpenID concept is blessed by NSTIC and gaining acceptance in government
segment
 Inclusion of Oauth 2.0 is aligned with CSO roadmap for tGuard
#3 Recommend consulting with Gigya on OpenID integration
options
 Gigya claims to support integration of OpenID for Relying Parties
 We are already talking to Gigya for federating Access ID
 Need to check if Gigya can help integrate OpenID APIs

11. © 2011 Karthik Ethirajan, all rights reserved
11
Relying Parties Accepting OpenID
APPENDIX

12. © 2011 Karthik Ethirajan, all rights reserved
12
Comparison of OpenID Providers
Following comparison provided by openidexplained.com
APPENDIX

13. © 2011 Karthik Ethirajan, all rights reserved
13
Initial Creation of OpenID from ID Provider
Below is the Yahoo implementation of OpenID provider. The tool is accessible to
any Yahoo subscriber.
APPENDIX

14. © 2011 Karthik Ethirajan, all rights reserved
14
Initial Login Page of Relying Party
User is given a choice of ID Providers along with generic Open ID as login
methods. For both authentication flows, the user is redirected to the Identity
Provider.
User inputs generic OpenID URL
as their login.
User selects Yahoo icon as
OpenID login provider.
Login Using Generic OpenID URL Login Using Common ID Provider
APPENDIX

15. © 2011 Karthik Ethirajan, all rights reserved
15
Authentication Page of Identity Provider
Once user is redirected to the identity provider’s authentication page, credentials
are requested, verified, and upon successful authentication, the user is asked to
consent to sharing of information.
Authentication Form Consent Screen
APPENDIX

16. © 2011 Karthik Ethirajan, all rights reserved
16
Redirect to Relying Party Website
Once authentication has taken place, the user is redirected back to the relying
party website for further process.
Account Creation Page of Relying Party Completed Account
APPENDIX

17. © 2011 Karthik Ethirajan, all rights reserved
17
User Profile Page of Relying Party Website
Note that the website was able to pull the users real name from the profile stored
with the identity provider. However, the attributes tansferred are limited.
Completed User Profile
APPENDIX