I'd like to set up an OpenID provider for our group, which we can use to log in to internal and external OpenID-aware services (e.g. stackoverflow.com).
Our users all have X.509 certificates issued by our CA, so I think the ideal solution would use that to authenticate them (i.e. the provider shouldn't ask for a password). Maybe Apache FakeBasicAuth would work to extract the username from the SSL connection's certificate?
What would be the best software to use? Open Source preferred.
OK, I got this working using:
In the Apache configuration, I did this (note: didn't use FakeBasicAuth in the end):
SSLCACertificateFile /.../myOrgCA.pem SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +StdEnvVars
Edit action_default() to redirect the user to the https address if accessed over plain http. The plain http address is the one you publish in your <link rel="openid.server">.
Change getLoggedInUser() to extract the username from $_SERVER['SSL_CLIENT_S_DN_Email'].
You can also edit doAuth() to provide the email address or full name in a similar way.
Note sure how secure this all is, but we use it for relatively low-value sites (forums, bug trackers, etc).
I've considered the same thing myself, and the best answer I could find after some research was exactly as you suggested – Apache running mod_ssl, FakeBasicAuth to ID the user, and then extract that to identify the user and validate them.
