6. Definition
● Single Sign On authentication allow users to
submit their credentials only once, and to
access all trusted applications
● Applications do not manage passwords
anymore
● Identity of the user is forwarded to applications
by the SSO software
02/05/12
6 http://lemonldap-ng.org
7. SSO for the newbies
1
User
3
2
Web Application
WebSSO Portal
02/05/12
7 http://lemonldap-ng.org
9. Components
● LemonLDAP::NG main components:
● Portal: authentication process, user interaction,
application menu, password change form
● Manager: configuration interface, sessions explorer
● Handler: Apache agent, manage access
authorizations
● Perl, only Perl, just Perl
● Relies on Apache and mod_perl
02/05/12
9 http://lemonldap-ng.org
10. SSO for the L33T
02/05/12
10 http://lemonldap-ng.org
11. Application protection
● LemonLDAP::NG uses Apache virtual host as
application identifier
● Each application owns:
● Access rules: each rule refers to an URL pattern,
logout can be caught
● HTTP headers: each header contains a session
value, or an evaluated Perl expression
● POST data: only used for form replay
● Redirection options: protocol and port
02/05/12
11 http://lemonldap-ng.org
14. Authentication methods
● LemonLDAP::NG supports a lot of authentication methods:
● LDAP
● Database
● SSL X509
● Apache built-in modules (Kerberos, OTP, ...)
● SAML 2.0
● OpenID
● Twitter
● CAS
● Yubikey
● Methods can be stacked or displayed together
02/05/12
14 http://lemonldap-ng.org
15. Identity Provider
● LemonLDAP::NG is a federation product,
allowing services to get user identity trough
standard protocols:
● SAML 2.0
● OpenID 2.0
● CAS 1.0 and 2.0
02/05/12
15 http://lemonldap-ng.org
16. Release 1.2, soon...
● New release planned for soon (this month?):
● Radius authentication module
● Login history
● New 'skip' rule
● Improve session cache management
● Custom session granting policies
● Better URL handling in CAS and SAML Issuer
modules
02/05/12
16 http://lemonldap-ng.org