OpenID Attribute Exchange Extension

Identity providers can use OpenID extensions to obtain and communicate user attributes to consumers.

The attribute exchange extension provides identity providers the ability to communicate user attributes to consumers.

The Attribute Exchange Extension (AX) protocol can be extended to accommodate varying types of attributes and multi-valued attributes. The attributes are identified by a unique URI and typically correspond to personal identity information. For more information see OpenID documentation at: http://openid.net/specs/openid-attribute-exchange-1_0.html

Attribute Exchange Extension provides strict compatibility with OpenID 2.0. You can use either or both extensions simultaneously. Use Attribute Exchange Extension unless you need to be compatible with older OpenID 1.1 implementations that only support SREG.

As an administrator, you can add a set of parameters to the OpenID login form posted to the login endpoint.

The example shows a login form with the following requirements:

Requires the e-mail address from the identity provider
Optionally requests for the full name, date of birth, friends and groups.

Figure 1. Sample Attribute Exchange Extension

<form name="openidLoginForm" method="post" 
action="https://sp.example.com/FIM/sps/openidsp/openid/login">
<input name="openid.mode" type="hidden" value="checkid_setup">
<input name="openid.ax.required" type="hidden" value="axemail">
<input name="openid.ax.if_available" type="hidden" 
value="axfullname,axdob,axfriends,axgroups">
<input name="openid.ax.type.axemail" type="hidden" 
value="http://axschema.org/contact/email">
<input name="openid.ax.type.axfullname" type="hidden" 
value="http://axschema.org/namePerson">
<input name="openid.ax.type.axdob" type="hidden" 
value="http://axschema.org/birthDate">
<input name="openid.ax.type.axfriends" type="hidden" 
value="http://example.com/myschema/friends">
<input name="openid.ax.count.axfriends" type="hidden" 
value="5">
<input name="openid.ax.type.axgroups" type="hidden" 
value="http://example.com/myschema/groups">
<input name="openid.ax.count.axgroups" type="hidden" 
value="unlimited">
<input name="TARGET" type="hidden" 
value="https://sp.example.com/myapp">
<input name="openid_identifier" type="text">
<input value="OpenID Login" type="submit">
</form>

Note: If no explicit count is requested for an attribute exchange parameter, the default max count value is 1.

Tivoli® Federated Identity Manager sends parameters to the identity provider during checkid_immediate and checkid_setup requests. The fetch messages sent with the request retrieves the user's personal identity attributes. For additional information about fetch messages see the OpenID documentation: http://openid.net/specs/openid-attribute-exchange-1_0.html#fetch

Attribute Exchange Extension fetch requests parameters

The Attribute Exchange Extension supports an information model that combines a subject identifier, an attribute type identifier, a count, and a value. Including additional parameters attaches the Attribute Exchange Extension fetch request on a standard authentication request. To enable the consumer to retrieve information from the identity provider, specify the following form field parameters in the login form.

openid.ax.required: Fetches required attributes from the identity provider. The value is a list of aliases, which are labels that represent individual attributes at the identity provider. Bind each alias to a URI that identifies the attribute in a separate openid.ax.type.alias parameter. (Optional)
openid.ax.if_available: Fetches an attribute that is available from the identity provider. The value has the same requirements as openid.ax.required. (Optional)

Note: You must specify either openid.ax.required or openid.ax.if_available in the request. Each requested attribute alias must have an associated openid.ax.type.alias parameter.

openid.ax.type.alias: Binds the alias to a URI that defines the meaning of the attribute. You must specify a parameter for each alias specified in either openid.ax.required or openid.ax.if_available. (Optional); Many typical attributes already have defined type URIs at http://www.axschema.org/types/

openid.ax.sendalways: Includes OpenID Attribute Exchange Extension information in authentication requests to the identity provider. The consumer runtime sends Attribute Exchange Extension request information if the identity provider advertises Attribute Exchange Extension support with XRDS. The default value is false. (Optional)

Attribute Exchange Extension fetch response parameters

After granting access to an identity provider, a fetch response message supplies the information in the fetch request parameters. The following optional fetch response parameters specify the retrieved personal attributes from the identity provider.

openid.ax.type.alias: Specifies the URI type for the fetched attribute identified by alias. (Optional)
openid.ax.count.alias: Returns the number of values specified for the attribute that corresponds to alias. If you do not specify a specific value, it returns only one value.
openid.ax.value.alias: Assigns a value specified for the attribute that corresponds to alias. (Optional)
openid.ax.value.alias.number: Assigns a value specified for the attribute that corresponds to alias. This parameter is required if openid.ax.count.alias is sent and at least one value is configured for the associated attribute. There should be a separate parameter for each value for the alias, with incrementing numbers.