Successfully reported this slideshow.

[FOSDEM 2019] LemonLDAP::NG 2.0

0

Share

1 of 29
1 of 29

[FOSDEM 2019] LemonLDAP::NG 2.0

0

Share

Download to read offline



LemonLDAP::NG is a free WebSSO software, implementing CAS, SAML and OpenID Connect protocols

The 2.0 version is a major step in LemonLDAP::NG history. It brings brand new features as second factor authentication, SSO as a Service, devops Handler, etc. This talk will present how the software works, and the main new features.



LemonLDAP::NG is a free WebSSO software, implementing CAS, SAML and OpenID Connect protocols

The 2.0 version is a major step in LemonLDAP::NG history. It brings brand new features as second factor authentication, SSO as a Service, devops Handler, etc. This talk will present how the software works, and the main new features.

More Related Content

Related Books

Free with a 14 day trial from Scribd

See all

Related Audiobooks

Free with a 14 day trial from Scribd

See all

[FOSDEM 2019] LemonLDAP::NG 2.0

  1. 1. LEMONLDAP::NG 2.0 info@worteks.com FOSDEM 2019FOSDEM 2019FOSDEM 2019FOSDEM 2019
  2. 2. 03/02/19 2 LemonLDAP::NG Software
  3. 3. 03/02/19 3 SSO Workfow Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token
  4. 4. 03/02/19 4 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
  5. 5. 03/02/19 5 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
  6. 6. 03/02/19 6 Login page
  7. 7. 03/02/19 7 Portal with application menu
  8. 8. 03/02/19 8 Web Administration interface
  9. 9. 03/02/19 9 Command Line Interface
  10. 10. 03/02/19 10 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 ● SSO component of FusionIAM project: https://fusioniam.org/
  11. 11. 03/02/19 11 Component roles Confgurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Confgurations Sessions Notifcations Second factors Access Control SSOaaS Web Service Token Custom
  12. 12. 03/02/19 12 How works the agent (Handler)
  13. 13. 03/02/19 13 Web application Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
  14. 14. 03/02/19 14 Protocols CAS, SAML and OpenID Connect
  15. 15. 03/02/19 15 Main features ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
  16. 16. 03/02/19 16 New in LemonLDAP::NG 2.0
  17. 17. 17 Second Factor Authentication (2FA) ● LemonLDAP::NG can use the following 2FA: ● TOTP ● U2F ● TOTP or U2F ● External ● REST ● Yubikey
  18. 18. 03/02/19 18 Confguration backends ● Already existing backends: ● JSON file ● Database ● LDAP ● NoSQL (MongoDB) ● SOAP ● New backends: ● YAML file ● REST ● Local (no backend, only lemonldap-ng.ini file)
  19. 19. 03/02/19 19 NodeJS Handler ● Native integration in Express application ● Rules and headers configured in Javascript ● https://github.com/LemonLDAPNG/node-lemonldap-ng-handler npm install node-lemonldap-ng-handler
  20. 20. 03/02/19 20 DevOps (SSO as a Service) ● Authentication managed by portal ● Access control and HTTP headers configuration set in a local JSON file ● Allow quick applications deployement without need to edit main SSO configuration
  21. 21. 03/02/19 21 DevOps (SSO as a Service) Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers rules .json Access rules Exported headers
  22. 22. 03/02/19 22 API / WebService protection ● New Handler "Service Token" installed between application and WebService ● Main Handler generates a token based on time session_id and virtual hosts ● The token is sent by application to WebService ● The Handler "Service Token" intercepts the token, validates it and apply access rules, and sent HTTP headers to WebService
  23. 23. 03/02/19 23 API – Service Token Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
  24. 24. 03/02/19 24 Authentifcation modules ● New modules: ● PAM ● REST ● Kerberos (GSSAPI) ● CAS (attributes reading) ● Multi is replaced by Combination ● Custom module
  25. 25. 03/02/19 25 Administration interface ● Configurations comparator: differences between two configurations are displayed in a tree ● Second factors administration (search, revoke) ● Sort sessions by creation date or modification date
  26. 26. 03/02/19 26 RENATER / eduGAIN ● Support of RENATER / eduGAIN via SAML2: ● Service Provider ● Identity Provider ● Call to Identity Provider selection page (WAYF) via SAML Discovery Protocol ● Metadata bulk import script
  27. 27. 03/02/19 27 Plugin engine ● Portal code was fully rewritten, and it now allows to write plugins ● Plugin examples, provided by default: ● Auto Signin: direct authentication for some IP ● Brute Force: protect against brute-force attacks ● Stay Connected: "remember me" button ● Public Pages: create static pages using portal skin ● Write a custom plugin: https://lemonldap-ng.org/documentation/latest/plugincustom
  28. 28. 03/02/19 28 Other new features ● A user can refresh rights without disconnect/reconnect ● REST services for configurations and sessions ● Select language before authentication ● New graphical theme built with Bootstrap 4 ● Logo customization (used in graphical theme and sent mails) ● Log system choice (syslog, Apache, Log4Perl, Sentry...)
  29. 29. 2929 THANKS Pour plus d’informations : info@worteks.com @worteks_com linkedin.com/company/worteks

×