We are in a complex authentication environment and need to support authenticating against a number of disparate sources in applications we are developing. Since we don’t want to be duplicating authentication code all over the place, we are looking at wrapping the various authentication sources with a single OpenID provider, and then having the applications all depend on that service.
The sources we have to allow authenticating against are things like Active Directory Username/Password, Kerberos, generic LDAP, external OpenID providers, etc.
For example, in the Kerberos case, when the user hits the OpenID provider’s authentication page, if (s)he can be authenticated with Kerberos, and has already given permission to the requesting app, the user would be transparently authenticated as if a password was entered and passed back to the requesting app.
So, the question is, can we have create an OpenID provider that handles authenticating through all of these various methods? Does the provider have to implement how it authenticates the users in a specific way?
OpenID 2.0 specification do not specify how to authenticate users at the OpenID Provider there for it is vendor specific. So my answer is Yes, you can have an OpenID Provider that handles authentication through all those methods but you have to figure out how to, for example how to present the Kerberos tickets to the OpenID Provider is up to you to decide.