OpenID authentication

1.1.          Authentication types

Authentication is the verification of a user's identity. 1C:Enterprise supports a number of authentication methods, which are described in this topic.

1.1.1.   1C:Enterprise authentication

Users sign in to 1C:Enterprise directly by providing credentials: username and password. Credentials can be typed in the sign-in dialog box (for manual sign-ins) or passed as the command-line parameters (for external connections and automation servers). In this method, the credentials are verified by the means of 1C:Enterprise.

1.1.2.   OS authentication

The user authentication is passed to the operating system. The 1C:Enterprise user must be associated with an operating system user. On startup, 1C:Enterprise sends a request to the OS over SSPI (for Windows OS) or GSS-API (for Linux OS). Then, 1C:Enterprise verifies that the OS user is associated with the 1C:Enterprise user. If the verification succeeds, the user is signed in to 1C:Enterprise, and the sign-in dialog is skipped.

The operating system user is passed in the following format: \\domain_name\username.

To force-run user authentication by the means of 1C:Enterprise, provide the following command-line parameter: WA-. To force-run user authentication by the means of the operating system, provide the following command-line parameter (set by default): WA+.

1.1.3.   OpenID authentication

OpenID is a protocol that allows users to authenticate in multiple unrelated websites and applications with a single identity and password. For more details, see http://openid.net. 1C:Enterprise supports OpenID 2.0 based on Direct Identity.

The basic authentication procedure includes the following steps:

• The user attempts to sign in to 1C:Enterprise.
• 1C:Enterprise checks file default.vrd and ensures that OpenID authentication is enabled.
• 1C:Enterprise sends a request to the OpenID provider.
• If this is the first authentication or the previous access token has expired, the user is prompted to enter the credentials. Then, 1C:Enterprise sends the identification data to the OpenID provider.
• For web client, the authentication tokens are stored in the cookie files of the used browser. Thin client uses a special data storage.
• If the user is valid, the provider returns a value indicating that the authentication succeeded.

Only infobases accessed over HTTP or HTTPS support OpenID authentication. This narrows down the appplicability of this authentication method to web client, mobile client, and thin client. OpenID authentication supports cross-domain requests in thin client and web client for Mozilla Firefox, Google Chrome, Safari, or Internet Explorer v.8 and 9. For Internet Explorer v.6 and 7, after the user enters the username and password, a confirmation dialog opens. If the user confirms the action, the authentication process continues. Otherwise, the user is prompted to enter username and password.

The OpenID provider must be a 1C:Enterprise infobase. The OpenID identifier is the name of the infobase user. The provider infobase must be published with a special parameter in file default.vrd and must be available for the user's infobase.

OpenID identifier is the username specified in provider infobase. The user password is also specified in the provider infobase. The user password specified in the client infobase is not involved.

To force-run OpenID authentication, provide the following command-line parameter (set by default): OIDA+. To disable OpenID authentication, provide the following command-line parameter: OIDA-.

For details on configuring the web server to support OpenID authentication, see page . 2.

OpenID authentication requires that the "1C:Enterprise authentication" flag is selected and the infobase is properly published on the web server.

1.2.          OpenID authentication support settings

1.2.1.   Settings for OpenID

In default.vrd, which contains client infobase publication parameters, specify the OpenID provider URL in elements <openid> and <rely>.

Example:

The elements define the URL of the OpenID provider that will authenticate infobase users. In this example, the 1C:Enterprise infobase that serves as the OpenID provider is published at https://myserver.org/users-ib.

For a detailed description of the default.vrd file, see page . 4.

1.2.2.   OpenID provider settings

In default.vrd, specify that the infobase is an OpenID provider in elements <openid> and <provider>.

Example:

The elements define the following:

• The infobase is an OpenID provider.
• The authentication token lifetime is 1,209,600 seconds (2 weeks).
• An example of the URL specified in the <rely> element: http://myserver.org/users-ib/e1cib/oida. This is a valid URL for an infobase hosted at myserver.org.

For a detailed description of the default.vrd file, see page . 4.

1.2.3.   Additional interface for use by external resources

1C:Enterprise supports OpenID authentication only in the checkid_immediate mode. In this mode, the sign in dialog is skipped. Also, for seamless OpenID authentication, 1C:Enterprise providers ad hoc commands and parameters.

User authentication

Description:

Authenticates a user using the POST method.

The HTTP request contains two strings: username and password.

Syntax:

/e1cib/oida?cmd=login

Parameters:

The address the user will be redirected to after successful authentication.

Returns:

• 200. User authentication succeeded (redirect not specified).
• 402. User authentication failed.

Validation

Description:

Validates the user authentication using the GET method.

Syntax:

/e1cib/oida?cmd=isloggedin

Returns:

• 200. User authentication succeeded.
• 402. User authentication failed.

Signing out

Description:

Signs out the user from 1C:Enterprise and clears the authentication token using the GET method.

Syntax:

/e1cib/oida?cmd=logout

Parameters:

The address the user will be redirected after signing out.

1.3.          <openid>

The element describes the OpenID authentication settings. Element <openid> is subordinate to <point>. The valid number of <openid> elements is zero or one. Element <openid> is the parent for <rely> and <provider>. The valid number of <rely> and <provider> elements is zero or one.

Element <openid> has no attributes.

1.3.1.   <rely>

The element defines the URL of the OpenID provider infobase.

Stores the URL of the OpenID provider infobase. The infobase must be published as a provider.

Example:

1.3.2.   <provider>

The element indicates that the infobase is an OpenID provider. Element <provider> is the parent for <lifetime>. The valid number of <lifetime> elements is zero or one.

Example:

1.3.2.1.    <lifetime>

Specifies the authentication token lifetime in seconds. If not specified, the default value is 604,800 (1 week).

Example: