Customize the OpenID Forms Credential Collector

Single Sign-On Service › SSO Getting Started Guide › SSO using a Third-party IdP and Self-registration › Configure and Apply an OpenID Authentication Scheme › Customize the OpenID Forms Credential Collector

Customize the OpenID Forms Credential Collector

A sample OpenID FCC is included with the product. The FCC is required to let users authenticate by:

Entering an OpenID provider user name.
Entering a complete OpenID identifier.

By default, the FCC presents numerous OpenID providers. Contact the administrator and instruct them to display only those providers that the protected application supports by modifying the FCC.

Follow these steps:

Log in to the cloud host system.
Go to the following location:
<sps home>/proxy-engine/examples/siteminderagent/forms

Where <sps_home> specifies the SPS installation path. SPS is part of the CA CloudMinder product.
Open the following file with a text editor:
```
openid.fcc
```
Review the FCC. Determine if the OpenID providers you require are available or if you have to add a profile. The default providers are located in the following sections:
```
var providers_large
var providers_small
```
Remove the unnecessary providers from the FCC by commenting them. Begin the comment at the provider name. End the comment at the end of the profile.
Example:
```
/*google : {
```
```
name : 'Google',
url : 'https://www.google.com/accounts/o8/id'
```
```
},*/
```
If you have to add a provider, locate the custom provider ID in either the large or small provider sections:
Example:
```
}/*,
myprovider : {
```
```
name : 'MyProvider',
label : 'Enter your provider username',
url : 'http://ca.com/{username}/',
image : 'images/image.png'
```
```
}*/
```
Note: The separate provider sections correspond to the sizes of provider icons that the FCC displays:
- The supported size of an icon in the large section is 100 pixels by 60 pixels. The FCC can display up to five large icons.
- The supported size of an icon in the small section is 24 pixels by 24 pixels. The FCC can display up to 11 small icons.
1. Add the new provider by removing the following characters:
```
/*
*/
```
2. Update the label and name values. The label value determines the text that the user sees after clicking the provider icon.
  Example:
```
myprovider : {
name : 'Foward Inc',
label : 'Enter your Forward Inc user name',
url : 'http://ca.com/{username}/',
image : 'images/image.png'
}
```
  Note: Forward, Inc. is a fictitious company name that is used strictly for instructional purposes only and is not meant to reference an existing company.
3. Update the URL value. The URL value represents the OpenID user identifier. The Policy Server forwards the user identifier to the OpenID provider.
  Example:
```
myprovider : {
name : 'Foward Inc',
label : 'Enter your Forward Inc user name',
url : 'http://{username}.forwardinc.com/'
image : 'images/image.png'
}
```
4. Update the image value. The image value represents the location of the provider icon that the FCC is to display.
  Example:
```
myprovider : {
name : 'Foward Inc',
label : 'Enter your Forward Inc user name',
url : 'http://{username}.forwardinc.com/'
image : 'images/forwardinc.png'
}
```
By default, the FCC displays the provider icons in the order in which the provider ID is configured and enabled in the FCC. If you want to change the icon order, adjust the order of the provider IDs accordingly.
Important! The default provider IDs include the following image index property:
```
imageidx
```
Do not remove or change the property. The property verifies that the FCC displays the correct provider icon.
Save the script.
Restart the web server.

Modify the OpenID Provider Configuration File

The product provides an OpenID provider configuration file. The file must reference the configuration details of each provider that the protected application supports. If the file does not include the correct settings, authentication fails.

By default, the file includes sample settings for all of the providers that the OpenID FCC makes available. Review the sample settings and modify them as required.
Important! The values are samples only. We recommend that you verify all configuration settings with your OpenID provider before deploying the authentication scheme.
If you added a provider to the FCC, add configuration settings for the provider.

Follow these steps:

Log in to the Policy Server host system.
Go to the following location:
```
siteminder_home\config\properties
```
siteminder_home

Specifies the Policy Server installation path.
Do one of the following steps:
- Open the default provider configuration file:
```
Openidproviders.xml
```
- Create another instance by copying the default configuration file. Each OpenID authentication scheme that you configure can use its own provider configuration file.
  Example: You can enable Federal Identity, Credential, and Access Management (ICAM) compliance for one instance of the authentication scheme and can disable ICAM compliance for another.
Review the file and determine if the OpenID provider settings you require are available or if you have to add settings.
If you have to add settings, complete the following steps:
1. Copy an existing OpenID provider node and all of its child nodes. All required and optional nodes are included within the following nodes:
```
<OpenIDProvider>
</OpenIDProvider>
```
2. Add the new OpenID provider node and all of its child nodes to the following root node:
```
<TrustedOpenIDProviders>
</TrustedOpenIDProviders>
```
Configure the settings for each provider that the authentication scheme is to support using the following node descriptions:

OpenIDProvider RequestType="value"

Indicates the beginning of the configuration settings for a provider.

RequestType

(Optional) Specifies the schema type that the provider supports.

Valid values: ax or sreg.

Default: ax.

ProviderName

Specifies the URL of the OpenID provider hosting the service. The value can include a comma–separated list of provider URLs.

Required Claims

Specifies the claims that the OpenID provider returns as part of the authentication request. If the provider cannot provide all of the required claims, authentication fails. This node requires at least one claim node.

Claim

Defines an individual required claim.

URI

Specifies the URI form of the OpenID provider claim. The Policy Server constructs the authentication request using this value.

Important! Verify that the value of the first required claim maps to a user attribute in your user directories. The Policy Server determines the value of the first required claim that is based on the provider authentication response. The Policy Server then searches all user directories in the policy domain for a user that matches the claim value. If the Policy Server cannot map the claim value to a user attribute, authentication fails.

Value: The value must adhere to the type of schema that the provider supports.

Alias

(Optional) Defines the user-friendly name of the URI node value and prevents the URI from being stored or referenced. The system uses the alias to identify the claim.

Value: Any string.

Example: Instead of storing a URI that returns the first name of users in the session store, the system can reference the claim name as fullname.

Note: The system appends the following prefix to an alias that is stored in the session store:

smopenidclaim

Optional Claims

(Optional) Specifies the optional claims that the OpenID provider is to return as part of the authentication request. If the provider cannot provide an optional claim, authentication does not fail. This node requires at least one claim node.

Pape

(Optional) Defines the properties that ICAM compliance requires. If you are configuring the authentication scheme for ICAM compliance, this node and all child nodes are required.

max_auth_age

(Optional) Specifies the time for which the OpenID provider user session is valid. If the user session is valid, the OpenID provider authenticates the user for a protected resource using a provider–specific cookie. If the session expires, the user is prompted to reauthenticate.

Unit of measurement: seconds.

Default: 0.

If you leave the default value, the user must authenticate against the OpenID provider, regardless of a valid session.

Value: The value must be a positive integer.

Policies

(Optional) Specifies a comma–separated list of the ICAM policies to which the OpenID provider must adhere. If the provider does not adhere to the compliance level, authentication fails.
Save and close the file.