[ow2con 2015] lemonldap::ng 2.0 overview

LemonLDAP::NG 2.0 overview

@clementoudot

https://twitter.com/clementoudot

https://www.savoirfairelinux.com/

http://lemonldap-ng.org/

http://www.ow2con.org/bin/view/2015/

2

Clément OUDOThttp://sflx.ca/coudot

● Founded in 1999● >100 persons● Montréal, Quebec City, Ottawa, Paris● ISO 9001:2004 / ISO 14001:2008● [email protected]

http://sflx.ca/coudot

mailto:[email protected]

LemonLDAP::NG Presentation

4

Some history

2003 2006 2010 2014

Project creation

NG version

V 1.0SAMLCAS

OpenID

V 1.4 V 2.0OpenID Connect

2016

5

Single Sign On

User

Web Application

WebSSO Portal

1

2

3

6

Access Control

UserWeb

Application

1

SSO

2

Authorization

3

7

Components

CommonCommon

ManagerManager HandlerHandler

PortalPortal

Administration interface

User interactions

Applications protection

8

Authentication backends

LDAPLDAPADAD

ApacheApache SAMLSAML

CASCAS RadiusRadius OpenIDOpenID

WebIDWebID

BrowserBrowserIDID

DBIDBI

YubikeyYubikey

9

Self Service

Password Password changechange

Password Password resetreset

Account Account CreationCreation

10

Identity protocols gateway

SAMLSAMLCASCAS

OpenIDOpenID

Overview of version 2.0

12

AngularJS Manager

● FrontEnd written with AngularJS● Responsive design● Configuration data as JSON● Import/Export feature● Edition of multiple values on the same screen● Possibility to set a log message on save

14

Handler API

● No more direct link between Handler and mod_perl● Creation of an internal API, with implementations:

– Apache mod_perl 1

– Apache mod_perl 2

– CGI

– Nginx

– PSGI

15

Portal skin background

16

CAS attributes exchange

● Conform to CAS 3.0 standard● Returns attributes in service ticket validation response,

inside <cas:attributes>● Compatible with phpCAS::getAttributes() function

17

OpenID Connect

● Based on OAuth 2.0 / JOSE● Specific scope “openid” to receive an ID token● User consent required to share its identity● Access token delivered to request UserInfo endpoint● Already used by Google to manage authentication

18

Roles

Resource owner(end-user)

Client(third-party)

AuthorizationServer

ResourceServer

19

Authorization Request

Authorization Grant

Authorization Grant

Access Token

Access Token

Protected Resource

20

RPRP OPOP

(1) AuthN Request

(2) AuthN & AuthZ

(3) AuthN Response

(4) UserInfo Request

(5) UserInfo Response

21

http://jwt.io/

http://jwt.io/

23

France Connect

● French administration choose OpenID Connect for its next generation authentication platform

● LemonLDAP::NG 2.0 :– Can be client of France Connect: users will be able to sign

with their France Connect identity

– Can be provider of France Connect: France Connect can delegate authentication to LemonLDAP::NG

Thanks for your attention

@clementoudot


https://twitter.com/clementoudot


[ow2con 2015] lemonldap::ng 2.0 overview

Technology