I have a number of users which need to use OpenID authentication for Alfresco.
There shouldn't be any need for them to create separate Alfresco usernames/passwords, just any time they go the the Alfresco website they are either auto-logged-in using some token set in a previously set cookie, or if there is no cookie, they are redirected to the OpenID provider's website with an appropriate callback URL set, where they enter their username/password with the OpenID provider, after which they are redirected back to our callback which does some magic to make Alfresco think the user is authenticated.
What is the correct / simplest way to do it?
I'm reading up on external authentication but it seems that only is secure if no untrusted HTTP access is possible, but in this case the user would have HTTP access to Alfresco so can easily falsify any headers.
What are my other options?