Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

OpenID: Single Sign On for the Web?: Page 3 of 6

Why, then, so much attention on such a small framework? As mentioned, a major component is its decentralized nature. Because no organizational body "owns" OpenID, major players can implement its specifications any way they like and add their own authentication mechanisms. OpenID also has low integration costs because the software is free, and there's a growing community of open-source developers ready to add features and functionality.

In addition, Web 2.0 sites thrive on user participation—owners hoping to stimulate active communities know they need to make it as easy as possible to access and consume resources. A common identity system also relieves Web sites of the burden of managing user identities, including dealing with forgotten passwords.

How It Works

OpenID 2.0 has three basic elements: a user with a Web browser (User Agent); a Relying Party (the Web site the user wants to log in to); and an OpenID Provider, which asserts that the user owns a particular URL. The OpenID Provider may also possess a variety of identity elements, such as a user's name, date of birth, e-mail address and so on (see diagram, //TK location//). When a User Agent signs in to a Web site with an Identifier (a URL), the Relying Party contacts the OpenID Provider for an assertion that the user owns the Identifier. Messages are exchanged using HTTP Post and Get. OpenID relies on Diffie-Hellman key exchange for the Relying Party and OpenID Provider to negotiate a shared secret to sign communications.

When a Relying Party contacts the OpenID Provider, the OpenID Provider asks the user to authenticate, and then confirms which identity information it should send to the Relying Party. If the user consents to provide the identity elements requested by the Relying Party, the OpenID Provider sends them. The Relying Party processes the elements, and the user is logged in.