IBM Tivoli Federated Identity Manager, Version 6.2.1

OpenID login

The Tivoli® Federated Identity Manager consumer presents a login form to request the OpenID URL from the user. The form can use either POST or GET methods to the Tivoli Federated Identity Manager consumer login endpoint. The included parameters can contain more than the URL if required.

Tivoli Federated Identity Manager supports:

Note: The method for login by the Tivoli Federated Identity Manager consumer is the same when accessing either a Tivoli Federated Identity Manager identity provider, or another identity provider.

For example, consider the following deployment scenario:

Figure 1 shows a sample login form for this example.

Figure 1. Simple OpenID login form
<html>
  <form method="post" 
  action="https://www.example.com/FIM/sps/openidfedsp/openid/login">
    <img src="login-bg.gif" />&nbsp;
    <input type="text" name="openid_identifier" />&nbsp;
    <input type="submit" value="Login" />
  </form>
</html>

The Tivoli Federated Identity Manager service provider completes the following steps:

  1. Reads the openid_identifier parameter
  2. Performs the authentication flow specified for OpenID Authentication 2.0
  3. Performs an External Authentication Interface (EAI) login to WebSEAL

After a successful checkid_immediate or checkid_setup response, the Tivoli Federated Identity Manager consumer calls the trust service to perform any required attribute or user identity manipulation.

During the login process, the consumer can request attributes from the identity provider by specifying additional parameters in the login form. The parameters must correspond to the parameter names described in the OpenID Simple Registration Extension 1.0. You can also use other supported specifications such as Simple Registration Extension 1.1, Attribute Exchange 1.0 and Private Personal Identifier Generator 1.0.

For example, Figure 2 shows a login form that accomplishes the following requirements using Simple Registration Extension:

Figure 2. OpenID login form with registry extension parameters
<html>
  <form method="post" 
  action="https://www.example.com/FIM/sps/openidfedsp/openid/login">
    <input type="hidden" name="openid.sreg.required"
     value="email,dob" />
    <input type="hidden" name="openid.sreg.optional"
     value="fullname" />
    <input type="hidden" name="openid.sreg.policy_url" 
value="http://www.example.com/privacy_policy.html" />
    <img src="login-bg.gif" />&nbsp;
    <input type="text" name="openid_identifier" />&nbsp;
    <input type="submit" value="Login" />
  </form>
</html>

When these parameters are present in the login request, Tivoli Federated Identity Manager sends them to the identity provider. This action is done during checkid_immediate and checkid_setup requests.

The parameters do not have to be hidden, and do not have to be a comma-separated list.

The parameters can consist of multi-valued attributes. The use of multi-valued attributes enables the server to present the user with radio buttons, list boxes, or other multi-valued widgets in the HTML. Tivoli Federated Identity Manager treats each value as a comma-separated list. Multiples values consisting of one entry only (each) are allowed.

You can implement login with automatic redirection to a specified URL. When WebSEAL is the point of contact server, the rules for processing EAI authentication apply. You can include an optional TARGET parameter in the login form, to redirect the user after successful authentication.

Template pages

The Tivoli Federated Identity Manager consumer uses several template HTML pages when processing authentication requests and errors:

Parent topic: OpenID planning overview

Feedback