=========================
LinOTP as OpenID Provider
=========================

Starting with version 2.4 LinOTP can work as an Identity Provider for OpenID. 
The data of the identity provider are stored in an SQL database.
You need to specify the database URL in the linotp.ini file::
   
   linotpOpenID.sql.url = mysql://linotp:test123!@localhost/LinOTP

If you do not specify this URL, the token database is used as default.

The users may authenticate with their identity in the form:

	https://linotpserver/openid/id/<user@realm>

The users will be redirected to 

	https://linotpserver/openid/login

to authenticate to LinOTP. Their authentication is stored within a cookie, which lifetime can be configured with 
``/etc/linotp2/linotp.ini`` using the parameter::
 
  linotpOpenID.CookieExpire = 3600 

Comfortable identity links
--------------------------

To make the OpenID identity more comfortable for your users, you may use Apache's mod_rewrite module.
To use the identity like https://linotpserver/oid/<username> add something like this to the LinOTP Apache
configuration::

      RewriteEngine on 
      RewriteLog  /var/log/apache2/rewrite.log 
      RewriteRule ^/oid(.*)   /openid/id$1    [R] 

If you want to make it even easier, you should add a second FQDN e.g. in the default configuration of your Apache. 
Let us assume, your LinOTP runs on https://linotpserver but the
server also listens on http://identities.com.

Then you can add the following rewrite rule to the configuration of identities.com:80::

      RewriteEngine on 
      RewriteLog  /var/log/apache2/rewrite.log 
      RewriteRule ^/(.*)   https://linotpserver/openid/id/$1    [R] 

Now your users can use the identities like::

	identities.com/<username>