GSA/ICAM OpenID
Government agencies wishing to accept OpenID logins must only accept credentials from Certified Identity Providers. A list of the certified providers is available at Open Identity Solutions for Open Government.
In addition, web sites and applications accepting these credentials must be configured to use the GSA/ICAM OpenID profile. This requires extensions and configuration changes to standard OpenID implementations.
A description of the GSA/ICAM OpenID profile can be found at Google discussion of GSA/ICAM OpenID profile.
Configuration instructions for using the following Open Source libraries with the GSA/ICAM OpenID profile appear below:
SAML SSO
There are many commercial and open-source solutions for SAML SSO, the following is only a summary:
- List of available implementations
- SimpleSAMLPHP
- OpenSSO (Java)
- OpenSAML (C++ and Java)
- SourceID
DotNetOpenAuth
This can be downloaded from http://www.dotnetopenauth.net/. This includes samples with a web.config file that has a commented out tag that can be uncommented to activate the ICAM profile.
In this web.config file, specify that SSL is required by modifying the requireSsl flag to "true" and uncomment the flag that enables the GSA/ICAM profile, click here for a copy of the web.config file.
OpenID4Java
To use openid4java with the ICAM profile, retrieve the latest version from http://code.google.com/p/openid4java/. A sample web application can be found within samples/simple-openid. To continue simple-openid for the ICAM profile, be sure to use SSL in all transactions as directed in the ICAM profile, and edit consumer-redirect.jsp, click here for a copy of the consumer-redirect file.
You can add links to certified providers for the following to index.jsp:
- https://www.google.com/accounts/o8/id
- https://openid.paypal-ids.com/Start
- https://id.wave.com/server.php
The following is used for testing:
- https://test-id.org/RP/GSALevel1.aspx