Want To Implement the ID4me-Login-Button to Your Website?

The average implementation time for a partner to implement the ID4me login on their website or application is less than 30 minutes.

login-partner

Login Partner

The Login Partner is a service that authenticates End-Users using the ID4me protocol. It redirects the End-User to its Identity Authority for authentication and contacts the Identity Agent to request identity data. If the End-User does not have an ID4me Identifier, it points the user to an Identity Agent (free choice whom to work with). The Login Partner is a service which wants to accept ID4me identifiers to allow users easier login and hand-over of the data. Implementing Login Partner role can be very different depending on used platform, framework or programming language. This page summarizes useful material and resources for most common approaches to Relying Party implementation.

Useful Documents

Client Libraries

LanguageNameReleaseRepository & DocumentationDemoComments
Javaorg.id4me:relying-party-apimaven.orgID4me GitLabhttp://hermes.open-xchange.comReference implementation
Pythonid4me-rp-clientPyPyPiID4me GitLabhttps://demo.domainid.community/Reference implementation
PHPid4me/id4me-rpPackagistID4me GitLabhttp://wordpress.id4me.familyOnly Authentication
.NETID4me.RP.ClientNuGetID4me GitLab Reference implementation in C#

Framework Libraries / Extensions

FrameworkNameReleaseRepository & DocumentationDemoComments
Djangodjango-allauth-id4mePyPiID4me GitLabhttps://demo.domainid.community/ID4me Extension to django-allauth.
Ploneinteraktiv.id4mePyPiGitHub Plugin from CloudFest Hackathon
WordPressID4meWordPress.orgID4me GitLabhttp://wordpress.id4me.familyBased on id4me/id4me-rp, only Authentication
Joomlan/an/aGitHub Work in progress
Nginxn/an/aGitHub Work in progress

Button design

Reference designs for the login Button in various formats and sizes are available here: Login_Button.zip.

Implementation tips & hints

As ID4me is based on Open ID Connect, a well established standard, there are many libraries available which cover a big portion of the protocol saving precious implementation time. Many frameworks have already built in support or available APIs to utilize functionalities of Single-Sign-On. The support can be either native or through already available plugins or extensions. Before implementing a library from the scratch or heading for very custom implementation it’s worth a while to do a research of available options for your purpose.

ID4me utilizes some features of OpenID Connect, which are not always implemented by available libraries. Common suspects are Dynamic Client Registration and Distributed Claims. Please make sure the library of your choice have it covered or allows easy extension of the missing part. If planning to use ID4me’s unique feature to specify reasons for data requirements, which is not a part of OpenID Connect, most likely a custom implementation would be needed.

Heading for own implementation of OpenID Connect it is especially advised to use a well established and tested library for JOSE and JWT, implementing all necessary checks and free of known security vulnerabilities. A handy repository of options is available at https://jwt.io/ together with a very useful debugger. The library must support JWE (encrypted) and JWS (signed) tokens, as well as offer handling for JWK and JWKSets.

Important remarks on ID4me Identifier

ID4me Identifier provider by End User as an initial input to the bootstrap process MUST NOT be used as an identification of that user by Relying Party. It SHOULD however be used as display identification of the End User. Authentication of the End User is asserted by an ID token therefore Login Partner SHALL use the pair iss and sub to identify the End User in a globally unique way and for any internal associations.

Tools and testing end-points

Getting a new ID4me Identifier

In order to test your integration you would of course need an own ID4me identifier. You can register one very easily, assuming you have a domain name you can set DNS records on. There is an open instance of an agent working with Identity Authority instance of DENIC – DENIC ID available at https://identityagent.de.

Register your ID: https://identityagent.de/register

Debugging Relying Party flow

For debugging purposes there is a Relaying Party instance at https://shop.freedom-id.de/ which allows full flow through the login process and displays relevant tokens.

Postman collection

In order to debug particular calls Relying Party would need to do you can use this Postman collection and just adjust end-points or values.

DNS Records resolver

In case DNS lookup for TXT record or DNSSEC check is not possible (for example due to Javascript sandbox security policies in web browsers), there is a helper end-point available at:

https://lookup.freedom-id.de/lookup/{domain_name}

This service concludes the discovery step to get an Identity Authority URL behind an ID as well as verification of required DNSSEC signatures of the corresponding DNS zones. Source code.

Contact us

Let us know if you work on an open source project with ID4me. We will be glad to list a reference to your work on this page.

We are available for any questions you might have during your integration: support@id4me.org. You can also just post a comment.

 

Want to Meet Us? Join Our ID4me Summit In Madrid!

Stay In Touch With ID4me!

Subscribe to always stay in touch with us and get the latest news about our company and all of your activities!