15. LinOTP as OpenID Provider¶

Starting with version 2.4 LinOTP can work as an Identity Provider for OpenID. The data of the identity provider are stored in an SQL database. You need to specify the database URL in the linotp.ini file:

linotpOpenID.sql.url = mysql://linotp:test123!@localhost/LinOTP

If you do not specify this URL, the token database is used as default.

The users may authenticate with their identity in the form:

https://linotpserver/openid/id/<user@realm>

The users will be redirected to

https://linotpserver/openid/login

to authenticate to LinOTP. Their authentication is stored within a cookie, which lifetime can be configured with /etc/linotp2/linotp.ini using the parameter:

linotpOpenID.CookieExpire = 3600

15.1. Comfortable identity links¶

To make the OpenID identity more comfortable for your users, you may use Apache’s mod_rewrite module. To use the identity like https://linotpserver/oid/<username> add something like this to the LinOTP Apache configuration:

RewriteEngine on
RewriteLog  /var/log/apache2/rewrite.log
RewriteRule ^/oid(.*)   /openid/id$1    [R]

If you want to make it even easier, you should add a second FQDN e.g. in the default configuration of your Apache. Let us assume, your LinOTP runs on https://linotpserver but the server also listens on http://identities.com.

Then you can add the following rewrite rule to the configuration of identities.com:80:

RewriteEngine on
RewriteLog  /var/log/apache2/rewrite.log
RewriteRule ^/(.*)   https://linotpserver/openid/id/$1    [R]

Now your users can use the identities like:

identities.com/<username>

15. LinOTP as OpenID Provider¶

15.1. Comfortable identity links¶

Table of Contents

Search