OpenID is an open federated identity standard targeted towards the consumer world, allowing individuals Single Sign-On (SSO) to "relying party" sites from an OpenID provider such as their email provider or social network. Large OpenID providers such as Google and Yahoo! have issued OpenIDs to all their users. OpenID is one of few federated identity standards that enable SSO without the need for a pre-existing relationship between the identity provider and the relying party, a feature that greatly fosters scalability.
The current OpenID version is 2.0. However a new version, OpenID AB/C, merges two different next-generation standards efforts, OpenID Abstract Binding and OpenID Connect, and is under construction. OpenID is a profiled protocol for the Federal ICAM initiative. OpenID 2.0 is only profiled for the lowest level of assurance described by the government guidance set out in NIST 800-63. Hopefully, the next generation of OpenID will be capable of all four assurance levels used today.
How it works
OpenID is a passive protocol, using browser web redirections to communicate between the relying party and the OpenID provider. OpenID does not construct a token containing security elements, but rather uses HTTP query string or Form POST elements to represent separate fields, reducing complexity and eliminating the need to parse a document. The core OpenID specification covers discovery and authentication, but several extensions exist to expand the functionality of the specification--most notably Simple Registration, Attribute Exchange and Provider Authentication Policy Extension.
OpenID specifies a number of discovery mechanisms that allow a user to inform the relying party of the preferred OpenID provider, including specifying a URL or email address. OpenID also offers the ability for a domain to delegate its OpenID provider role to another OpenID provider.