OpenID ICAM Extension

This module extends Drupal's core OpenID support to meet the requirements of the GSA/ICAM OpenID 2.0 Profile.

US Government websites wishing to accept OpenID logins for LOA 1 transactions must:

• only accept credentials from Certified Identity Providers, and
• ensure that web sites and applications accepting these credentials are configured to use the GSA/ICAM OpenID profile.

OpenID ICAM Extension provides this extra functionality in one module, designed to work "out of the box" with the default configuration.

For most sites that are running using a valid SSL certificate, the module can be simply installed and enabled, and then OpenID logins for that site will be in compliance.

Features / Technical Description

In its default configuration, the module will ensure that the OpenID transaction meets the requirements specified in the profile and will do the following:

• Validate the user enters an IdP URL that is from the ICAM approved list
  of providers (the list itself in set in the module configuration page)
• Alter OpenID forms to use a new return_to URL (openid/authenticate_icam instead of openid/authenticate)
• Publish the new OpenID return_to URL in an XRDS document as http://specs.openid.net/auth/2.0/return_to (required for RP discovery), using XRDS_Simple module
• Add PAPE parameters to the OpenID request for preferred_auth_policies and/or max_auth_age (using hook_openid() )
• Accept the openid_authenticate_icam response and validate thatit meets the ICAM requirements:
  • The OpenID Provider (OP) response was using a secure transport (https://)
  • All of the PAPE required_auth_policies in the request were returned by the OP.
• The module is fully configurable, including the ability to disable or enable each of the above features, and to log OpenID Request/Response for troubleshooting.

Requirement: Valid SSL Certificate

A Valid SSL cert is required to meet the profile!

In addition to the extra checks this module is adding on your Drupal site's side, be aware that the OpenID Provider (e.g. Google) is going to see the PAPE requests and perform extra checks of its own. The specification says that you must be using SSL for the OpenID login session. The IdP is supposed to validate this, and prevent the login if not.

You may see errors such as "The page you requested is invalid." after you type in your OpenID provider URL and you are not running SSL on your site. The problem is usually that the IdP site (e.g. google) is failing its extra checks on its side.

A self-signed developer cert, or a cert with the wrong hostname, may not work. This can really be a challenge when first implementing the module, if you wish to try it out using a test or development server before installing it on your main server. If this applies to you, there is really no alternative to you purchasing a valid SSL cert for your test server URL. This is an unfortunate limitation of the extra security.

Drupal Dependencies:

This module depends on core's OpenID, and the XRDS_Simple module.

Thanks to:

• Mobio Technologies sponsored the initial development.
• John Bradley provided the initial requirements and answered the many many questions during development.
• IDManagement.gov were fearless alpha testers.

For more information:

• Visit the official http://idmanagement.gov website
• see: "GSA/ICAM OpenID" at: http://idmanagement.gov/pages.cfm/page/IDManagement-support-ICAM-adopted...
• Read the spec The ICAM OpenID 2.0 Profile at http://www.idmanagement.gov/documents/ICAM_OpenID20Profile.pdf
• Read the spec OpenID PAPE 1.0: http://openid.net/specs/openid-provider-authentication-policy-extension-...