WebSSO and Access Management LemonLDAP::NG Clément OUDOT

Single Sign On and Access Management LemonLDAP::NG Demonstration Table of contents

Single Sign On and Access Management

LemonLDAP::NG

Demonstration

Single Sign On SSO is designed for users: One login/password to remember (or even better with physical token) One authentication screen for all applications SSO can also provides: A dynamic list of authorized applications A single access point (portal) to information system

SSO is designed for users:

One login/password to remember (or even better with physical token)

One authentication screen for all applications

SSO can also provides:

A dynamic list of authorized applications

A single access point (portal) to information system

Access Management Access Management is designed for system administrators: Single point of authentication (easy to audit) Set access rights to applications Use enterprise directory for authentication and authorization

Access Management is designed for system administrators:

Single point of authentication (easy to audit)

Set access rights to applications

Use enterprise directory for authentication and authorization

Enterprise SSO

Delegation SSO

Reverse-proxy SSO

LemonLDAP::NG LemonLDAP::NG is a free WebSSO project: GPL licence OW2 Forge: http://lemonldap.ow2.org Use standard Apache2 installation Use mod_perl to hook Apache requests Provides: Portal with dynamic application list Graphical management interface Wide integration (LDAP, Kerberos, SQL, CAS, SSL, SOAP, etc.)

LemonLDAP::NG is a free WebSSO project:

GPL licence

OW2 Forge: http://lemonldap.ow2.org

Use standard Apache2 installation

Use mod_perl to hook Apache requests

Provides:

Portal with dynamic application list

Graphical management interface

Wide integration (LDAP, Kerberos, SQL, CAS, SSL, SOAP, etc.)

Architecture overview

How it works

Some screen shots

LDAP forever LemonLDAP::NG can use LDAP for: Authentication Authorization Password modification Groups Configuration storage Session storage

LemonLDAP::NG can use LDAP for:

Authentication

Authorization

Password modification

Groups

Configuration storage

Session storage

LDAP password policy LemonLDAP::NG is compatible with the draft of LDAP password policy (overlay ppolicy in OpenLDAP): Display if account is locked or expired Display warning time and graces remaining Force password change after reset Show constraints error on password modification (size, history, etc.)

LemonLDAP::NG is compatible with the draft of LDAP password policy (overlay ppolicy in OpenLDAP):

Display if account is locked or expired

Display warning time and graces remaining

Force password change after reset

Show constraints error on password modification (size, history, etc.)

Authentication backends LemonLDAP::NG can use several authentication backends: LDAP (the default) SSL (through Apache) Kerberos (through Apache) CAS Liberty Alliance (replaced soon by SAML2) Any other Apache authentication methods SOAP (portal chaining)

LemonLDAP::NG can use several authentication backends:

LDAP (the default)

SSL (through Apache)

Kerberos (through Apache)

CAS

Liberty Alliance (replaced soon by SAML2)

Any other Apache authentication methods

SOAP (portal chaining)

More features Application provisioning trough HTTP headers Logon hours with time zone management RBAC model Cross-domain Session sharing over network HTTP Basic authentication forward Password reset by mail Notifications Active Directory support

Application provisioning trough HTTP headers

Logon hours with time zone management

RBAC model

Cross-domain

Session sharing over network

HTTP Basic authentication forward

Password reset by mail

Notifications

Active Directory support

Full integrated applications

Thank you for your attention Visit us at our stand 107 - hall 7.2b