13. LinOTP as OpenID Provider¶
Starting with version 2.4 LinOTP can work as an Identity Provider for OpenID. The data of the identity provider are stored in an SQL database. You need to specify the database URL in the linotp.ini file:
linotpOpenID.sql.url = mysql://linotp:test123!@localhost/LinOTP
If you do not specify this URL, the token database is used as default.
The users may authenticate with their identity in the form:
The users will be redirected to
to authenticate to LinOTP. Their authentication is stored within a cookie, which lifetime can be configured with /etc/linotp2/linotp.ini using the parameter:
linotpOpenID.CookieExpire = 3600
13.1. Comfortable identity links¶
To make the OpenID identity more comfortable for your users, you may use Apache’s mod_rewrite module. To use the identity like https://linotpserver/oid/<username> add something like this to the LinOTP Apache configuration:
RewriteEngine on
RewriteLog /var/log/apache2/rewrite.log
RewriteRule ^/oid(.*) /openid/id$1 [R]
If you want to make it even easier, you should add a second FQDN e.g. in the default configuration of your Apache. Let us assume, your LinOTP runs on https://linotpserver but the server also listens on http://identities.com.
Then you can add the following rewrite rule to the configuration of identities.com:80:
RewriteEngine on
RewriteLog /var/log/apache2/rewrite.log
RewriteRule ^/(.*) https://linotpserver/openid/id/$1 [R]
Now your users can use the identities like
identities.com/<username>