Cryptosmith

Thanks to Gary Krall, tech director of PIP at Verisign, I have a recipe for “works every time” OpenID delegation with their free PIP service. First, what is OpenID delegation?

Delegation lets you use your very own URL as your identity URL for logging in with OpenID. For example, I can use http://www.cryptosmith.com/ to log in to web sites. To do this, you have to provide some special statements (a.k.a. magic) in your HTTP files that redirects the OpenID process from your web site to the service that actually does your OpenID authentication.

Here are Gary’s redirection statements. They are tailored to work with Verisign Labs’ PIP:

<link rel=”openid.server” href=”http://pip.verisignlabs.com/server” />
<link rel=”openid.delegate” href=”http://username.pip.verisignlabs.com” />
<link rel=”openid2.provider” href=”http://pip.verisignlabs.com/server” />
<link rel=”openid2.local_id” href=”http://username.pip.verisignlabs.com” />
<meta http-equiv=”X-XRDS-Location” content=”http://pip.verisignlabs.com/user/username/yadisxrds” />

Go through and substitute your user name for the italicized username. The username is usually your login name at PIP and, if you don’t delegate, it is the first element of the OpenID login domain name (a suffix on pip.verisignlabs.com). If you want, you can create multiple names/suffixes at PIP. This can be useful - look at my comments below on Multiple Logins. However, you get the same effect directly through delegation (see below).

Now, you have to place the five statements above in the header field of your web page. Thus, when you try to log in somewhere and the site pulls up the page, it sees the redirection statements. If you know how to construct HTML from scratch, you can just build an HTML “index” page that includes these statements, and log in with a URL that goes to that page.

If you want to hook this to your WordPress blog, you have to put it in your blog page headers. Don’t worry - it won’t show up as text - it is part of the hidden contents of your blog pages.

There are several ways to modify the headers for your WordPress blog to include these statements. What I did was modify the theme file. The advantage of this: the customization doesn’t disappear when you upgrade WordPress. On the other hand, you’ll have to redo this if you upgrade your theme.

How to insert the statements into your Theme

Here is how I did it:

1. Go to the Dashboard and click on the Design tab, and under it select Theme Editor. This will give you an editing window, and a list of theme files down the right side of the page.
2. Find the Header file (header.php) among the Templates. It should be half way down the list. Click on the Header file in the list to select it.
3. The Header fill will appear in the editing window. Midway through the file is a list of “link rel” statements similar to the ones you want to add.
4. Insert a blank line right before the last “link rel” statement. Insert it between the existing lines. Be sure that it is right before an opening bracket “<”.
5. Insert the five statements (4 “link rel” statements and 1 “meta http-equiv” statement) into the file.
6. Be sure to modify the username to give your user name.
7. Save the modified Header.
8. If you are using a cache, erase the saved pages.
9. Try logging in somewhere with your URL.

Why have multiple logins?

Of course I have administrative rights to my own blog. In practice, however, I generally log in as a less-privileged author for writing blog entries. This is based on the least privilege security concept. I don’t need administrative rights for most things I do on my blog. I only log in as administrator when I really need to do administrative tasks.

To do this, I have two log ins at every blog I administer - one for authoring and one for administering. To do this with OpenID, I have two separate OpenID identifiers.

At PIP, I’ve set up a couple of extra OpenID names that I use for this. When I’m logged in to PIP, the system will automatically log me in whenever I use one of those names.

This gets even easier with delegation. You can set up different login names at your web site and funnel them all to the same OpenID.

For More Information

Here are links to other blog entries about redirection and OpenID on WordPress

• The WordPress Plugin - latest version, by Will Norris
• Good description of the classic approach by Sam Ruby
• Another description of the classic approach for OpenID delegation by Phil Windley

Posted under Information Security |