1C:DN > Community response > Tips and guidelines > How do I configure a pass-through authentication in different 1C applications using OpenID? > Description

Description

OpenID authentication

OpenID (http://openid.net/) ‑protocol allows the user to authenticate in many unrelated resources, systems, and so on, using a single account. 1C:Enterprise uses a protocol based on OpenID 2.0 under a Direct Identity model.

NOTE. This authentication method cannot be applied to web services published from 1C:Enterprise.

The general procedure is as follows:

  • The user attempts to log on to 1C:Enterprise.
  • 1C:Enterprise identifies that OpenID authentication is enabled for the Infobase (using the default.vrd publication file).
  • An authentication request is sent to the OpenID provider. The OpenID provider must be able to receive requests from the address of the Infobase publication.
  • If an interactive action is needed (for example, the first authentication for this user ID is performed, or the user authentication data has expired), the provider informs 1C:Enterprise that username and password are required. 1C:Enterprise performs the interactive action and returns the requested data to the OpenID provider.

    User authentication data is stored in cookie files located in web browser storage. The thin client uses own storage.

  • If the provider authenticates the user, a flag is returned to 1C:Enterprise indicating that the user is authenticated.

OpenID authentication only works when the Infobase is accessed over HTTP or HTTPS. This means that OpenID authentication is only available for the web client, mobile client, and thin client connected to the Infobase via the webserver. During OpenID authentication, cross-domain requests may occur when using the thin client or Mozilla Firefox, Google Chrome, Safari, Microsoft Internet Explorer 8, and 9 browsers. In Microsoft Internet Explorer 6.0 and 7, the user is prompted for confirmation after entering username and password. If the user confirms operation, the authentication procedure continues.‑ Otherwise, the user is prompted to enter the username and password again.

An OpenID provider can be a 1C:Enterprise Infobase published on a server in a special way, or an information system that has OpenID Authentication 2.0 and extension of this protocol implemented on the 1C:Enterprise platform. The address of the OpenID provider is specified in default.vrd file (<rely> element) when publishing an Infobase that is an OpenID provider's client.

It is important to understand that the key field used to match the 1C:Enterprise Infobase user and OpenID provider user is a value specified in the Name property of the Infobase user. In other words, a user is only able to log on to the Infobase if the Name property in the Infobase contains an ID returned by the OpenID provider. For a description of the returned certificate, refer to the documentation of the OpenID provider used.

The user password is set at the OpenID provider. If the OpenID provider is a 1C:Enterprise Infobase, the password is set in this Infobase. The password set in the Infobase that operates as the OpenID provider's client is ignored during OpenID authentication. If a third-party OpenID provider is used, the password is set by this provider. After the OpenID provider's user password is changed in the user storage, the 1C:Enterprise follows the following rules:

  • The user is considered authenticated in any currently running sessions until these sessions are terminated
  • When creating a new session, the user is prompted for the password even if the user authentication data has not expired yet.

When forced OpenID authentication is required, specify /OIDA+ command-line parameter (enabled by default) in the startup command line of the client application. The /OIDA‑ command-line parameter is intended to force disable OpenID authentication.

See also:

OpenID authentication support settings

Settings for OpenID

If the Infobase uses OpenID authentication, you must specify the address of the OpenID provider used for authentication in the default.vrd file (with which the Infobase was published on the webserver).  The <openid> and <rely> elements are intended for this.

Example: 

<?xml version="1.0" encoding="UTF-8"?>
<point xmlns=http://v8.1c.ru/8.2/virtual-resource-system xmlns:xs=http://www.w3.org/2001/XMLSchema xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
 base="/demo"
 ib="Srvr=&quot;tcp://Server&quot;;Ref=&quot;demo&quot;;"
 enable="false">
 <openid>
   <rely url="https://myserver.org/users-ib/e1cib/oid2op"/>
 </openid>
</point>

These elements describe the URL to the OpenID provider that authenticates the user to the Infobase with OpenID authentication. In this example, the 1C:Enterprise Infobase, published at https://myserver.org/users-ib, acts as the OpenID provider.

This parameter can be configured using the publication dialog on the webserver (OpenID tab).

Be the first to know tips & tricks on business application development!

A confirmation e-mail has been sent to the e-mail address you provided .

Click the link in the e-mail to confirm and activate the subscription.

© 1C LLC. All rights reserved

1C Company respects the privacy of our customers and visitors to our website.

Disclaimers and Limitation of Liability | Terms and Conditions | Privacy policy | Site Map