Jdll 2010 lemon_ldap-ng_100_preview

  • 1,067 views
Uploaded on

 

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads

Views

Total Views
1,067
On Slideshare
0
From Embeds
0
Number of Embeds
0

Actions

Shares
Downloads
7
Comments
0
Likes
0

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. LemonLDAP::NG LemonLDAP::NG 1.00 Clément OUDOT JDLL 2010 Lyon, France
  • 2. Table of contents ● Single Sign On ● The LemonLDAP::NG project ● How it works ● Main features ● What's new? 10/14/10 2 http://lemonldap-ng.org
  • 3. Single Sign On 10/14/10 3 http://lemonldap-ng.org
  • 4. Password management ● More and more applications or electronic services requiring our credentials ● When passwords number grows, passwords strength goes down 10/14/10 4 http://lemonldap-ng.org
  • 5. Centralized authentication ● Credentials centralization is a way to decrase passwords number ● This still requires the users to log on every service 10/14/10 5 http://lemonldap-ng.org
  • 6. Single Sign On authentication ● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications ● Applications does not manage passwords anymore ● Identity of the user is forwarded to applications by the SSO software 10/14/10 6 http://lemonldap-ng.org
  • 7. Delegation Single Sign On 10/14/10 7 http://lemonldap-ng.org
  • 8. Reverse Proxy Single Sign On 10/14/10 8 http://lemonldap-ng.org
  • 9. The LemonLDAP::NG project 10/14/10 9 http://lemonldap-ng.org
  • 10. History ● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon) ● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity ● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005 ● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team. 10/14/10 10 http://lemonldap-ng.org
  • 11. Technical implementation ● LemonLDAP::NG main components: ● Portal: authentication process, user interaction, application menu, password change form ● Manager: configuration interface, sessions explorer ● Handler: Apache agent, manage access authorizations ● Perl, only Perl, just Perl ● Relies on Apache and mod_perl 10/14/10 11 http://lemonldap-ng.org
  • 12. Default architecture 10/14/10 12 http://lemonldap-ng.org
  • 13. How it works 10/14/10 13 http://lemonldap-ng.org
  • 14. Single Sign On process 10/14/10 14 http://lemonldap-ng.org
  • 15. Single Sign On process 1.User tries to access protected application, his request is catched by Handler 2.SSO cookie is not detected, so Handler redirects user to Portal 3.User authenticates on Portal 4.Portal checks authentication 5.If authentication succeed, Portal collect user data 6.Portal creates a session to store user data 7.Portal gets the session key 8.Portal creates SSO cookie with session key as value 9.User is redirected on protected application, with his new cookie 10.Handler gets session get from cookie and gets session 11.Handler stores user data in its cache 12.Handler check access rule and send headers to protected applications 13.Protected application sends response to Handler 14.Handler sends the response to user 10/14/10 15 http://lemonldap-ng.org
  • 16. Authentication process ● Control URL origin: prevent XSS attacks and bad redirections ● Control existing session: detect SSO session, apply configured constraints (1 session per user, 1 session per IP, ...) ● Extract form info: get login/password, certificate, environment variable (depending on authentication module) ● Get user info: contact user database to collect attributes ● Set macros: compute configured macros ● Set groups: request user database to find groups ● Set local groups: compute configured groups ● Authenticate: contact authentication database to check credentials ● Grant session: check rights to open SSO session ● Store: store user info in session database ● Build cookie: build SSO cookie with session ID ● Redirect: redirect user on protected application or on Portal 10/14/10 16 http://lemonldap-ng.org
  • 17. Application protection ● LemonLDAP::NG uses Apache virtual host as application identifier ● Each application owns: ● Access rules: each rule refers to an URL pattern, logout can be caught ● HTTP headers: each header contains a session value, or an evaluated Perl expression ● POST data: only used for form replay ● Redirection options: protocol and port 10/14/10 17 http://lemonldap-ng.org
  • 18. Examples ● Access rules: ● default → accept ● ^/admin → $groups =~ /admin/ ● ^/logout.php → logout_sso ● HTTP headers: ● Auth-User → $uid ● Auth-Name → uc($sn).", ".ucfirst($gn) 10/14/10 18 http://lemonldap-ng.org
  • 19. Configuration ● Configuration is shared between all components ● It can be stored in: ● Local files ● SQL database ● LDAP directory ● Configuration is also available trough SOAP 10/14/10 19 http://lemonldap-ng.org
  • 20. Configuration interface 10/14/10 20 http://lemonldap-ng.org
  • 21. Cookies and sessions ● Cookies and sessions have lifetime ● Sessions can also have an idle timeout ● Sessions can be stored in File, LDAP, SQL, noSQL (Memcached, Redis, Cassandra, …) ● Sessions are also available trough SOAP ● Cookies can be protected to travel only on secure connections ● Cross domain is managed 10/14/10 21 http://lemonldap-ng.org
  • 22. Main features 10/14/10 22 http://lemonldap-ng.org
  • 23. Authentication methods ● LemonLDAP::NG supports a lot of authentication methods: ● LDAP ● Database ● SSL X509 ● Apache built-in modules (Kerberos, OTP, ...) ● SAML 2.0 ● OpenID ● Twitter ● CAS ● Methods can be stacked or displayed together 10/14/10 23 http://lemonldap-ng.org
  • 24. Advanced LDAP integration ● LemonLDAP::NG can use some LDAP specificities: ● Protocol v2/v3 ● Authentication filter ● Password policy (account locking, change constraints, force renewal) ● Recursive groups ● LDAPS or startTLS ● Active Directory is supported trough LDAP 10/14/10 24 http://lemonldap-ng.org
  • 25. Identity provider ● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols: ● SAML 2.0 ● OpenID 2.0 ● CAS 1.0 and 2.0 10/14/10 25 http://lemonldap-ng.org
  • 26. SAML 2.0 conformance IDP SP SLO Requests and responses issuing Binding Authn Authn Attribute Request Response Response Request Request HTTP GET OK OK OK OK HTTP POST OK OK OK OK Artifact GET OK OK Artifact POST OK OK SOAP OK OK OK Requests and responses consuming Binding Authn Authn Attribute Request Response Request Response Response HTTP GET OK OK OK OK OK HTTP POST OK OK OK OK OK Artifact GET OK OK OK Artifact POST OK OK OK SOAP OK OK OK 10/14/10 26 http://lemonldap-ng.org
  • 27. Other SAML 2.0 features ● LemonLDAP::NG is SP, IDP, AA (attribute provider) and proxy IDP ● Common Domain Cookie support ● Metadata can be loaded trough HTTP ● Each partner can have a specific attribute mapping ● A lot of options to customize SAML requests and responses 10/14/10 27 http://lemonldap-ng.org
  • 28. What's new? 10/14/10 28 http://lemonldap-ng.org
  • 29. What's new? ● LemonLDAP::NG 1.00 is a real enhancement of previous versions, it's a one year full time work. ● Main changes are: ● Single configuration text file (lemonldap-ng.ini) ● All configuration parameters in Manager ● Issuer interface module (for SAML, CAS, OpenID) ● Grant session rule ● Authentication levels customization ● Authentication choice 10/14/10 29 http://lemonldap-ng.org
  • 30. What's new? ● On community side: ● New bug tracker: http://jira.ow2.org ● New site: http://lemonldap-ng.org 10/14/10 30 http://lemonldap-ng.org
  • 31. Roadmap ● LemonLDAP::NG 1.00 is a big step, but the way is long ● Some ideas: ● Import/export configurations in Manager ● XACML/WSF ● OAuth ● Password wallet for form replay 10/14/10 31 http://lemonldap-ng.org
  • 32. Try it now! http://lemonldap-ng.org 10/14/10 32 http://lemonldap-ng.org