OpenID Connect

At work I’ve been doing a ton of Single Sign On, SAML, and certificate based authentication. I wanted to try that out for my own personal use. It turned out to be much easier than I expected.

I’ve already blogged here about updating my site certificates using StartCom SSL. Another free service they offer is an OpenID Connect certificate.

The process is actually pretty straight forward.

To get started with StartCom in the first place you have to download a client side certificate into your web browser. This is a file that you must keep on your computer and must protect. When your web browser connects to StartCom services it presents this certificate and says “Here I am”. Since you should be the only person with that certificate StartCom can say “OK, come on in”.

This is nice because you don’t have to remember a username and password. The downside is that you have to keep this certificate handy to load it onto each machine you connect from. An encrypted USB key can be handy for this. You have to figure out how to make your Operating System and Browser combination present this certificate as an identity cert. Often this is an advanced setting in the browser that allows you to import an Identity Certificate.

OpenID Connect takes this to the next step.

StartCom knows who I am and knows my certificate. As a provider of web services (bbbburns.com WordPress) I can make the decision to allow in certain users that an OpenID provider has authenticated. I downloaded the WordPress OpenID plugin, and tied my ID of bbbburns.startssl.com to my WordPress account.

When I login to my own WordPress site now I can just type in “bbbburns.startssl.com” as the user and hit Login. The site redirects me to startssl.com for authentication using my client certificate. If successful, I get redirected back to bbbburns.com with an authentication assertion. Since bbbburns.startssl.com is tied to my WordPress account on the server I’m automatically logged in as this user.

The setup for all of this took just a few minutes!