Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

[OW2Con 2015] LemonLDAP::NG 2.0 overview

1,176 views

Published on

Presentation of LemonLDAP::NG project and news of the next release (2.0) : AngularJS Manager, CAS attributes and OpenID Connect support.

Published in: Technology
  • Be the first to comment

[OW2Con 2015] LemonLDAP::NG 2.0 overview

  1. 1. LemonLDAP::NG 2.0 overview @clementoudot
  2. 2. 2 Clément OUDOT http://sflx.ca/coudot ● Founded in 1999 ● >100 persons ● Montréal, Quebec City, Ottawa, Paris ● ISO 9001:2004 / ISO 14001:2008 ● contact@savoirfairelinux.com
  3. 3. LemonLDAP::NG Presentation
  4. 4. 4 Some history 2003 2006 2010 2014 Project creation NG version V 1.0 SAML CAS OpenID V 1.4 V 2.0 OpenID Connect 2016
  5. 5. 5 Single Sign On User Web Application WebSSO Portal 1 2 3
  6. 6. 6 Access Control User Web Application 1 SSO 2 Authorization 3
  7. 7. 7 Components CommonCommon ManagerManager HandlerHandler PortalPortal Administration interface User interactions Applications protection
  8. 8. 8 Authentication backends LDAPLDAP ADAD ApacheApache SAMLSAML CASCAS RadiusRadius OpenIDOpenID WebIDWebID BrowserBrowser IDID DBIDBI YubikeyYubikey
  9. 9. 9 Self Service PasswordPassword changechange PasswordPassword resetreset AccountAccount CreationCreation
  10. 10. 10 Identity protocols gateway SAMLSAMLCASCAS OpenIDOpenID
  11. 11. Overview of version 2.0
  12. 12. 12 AngularJS Manager ● FrontEnd written with AngularJS ● Responsive design ● Configuration data as JSON ● Import/Export feature ● Edition of multiple values on the same screen ● Possibility to set a log message on save
  13. 13. 13
  14. 14. 14 Handler API ● No more direct link between Handler and mod_perl ● Creation of an internal API, with implementations: – Apache mod_perl 1 – Apache mod_perl 2 – CGI – Nginx – PSGI
  15. 15. 15 Portal skin background
  16. 16. 16 CAS attributes exchange ● Conform to CAS 3.0 standard ● Returns attributes in service ticket validation response, inside <cas:attributes> ● Compatible with phpCAS::getAttributes() function
  17. 17. 17 OpenID Connect ● Based on OAuth 2.0 / JOSE ● Specific scope “openid” to receive an ID token ● User consent required to share its identity ● Access token delivered to request UserInfo endpoint ● Already used by Google to manage authentication
  18. 18. 18 Roles Resource owner (end-user) Client (third-party) Authorization Server Resource Server
  19. 19. 19 Authorization Request Authorization Grant Authorization Grant Access Token Access Token Protected Resource
  20. 20. 20 RPRP OPOP (1) AuthN Request (2) AuthN & AuthZ (3) AuthN Response (4) UserInfo Request (5) UserInfo Response
  21. 21. 21 http://jwt.io/
  22. 22. 22
  23. 23. 23 France Connect ● French administration choose OpenID Connect for its next generation authentication platform ● LemonLDAP::NG 2.0 : – Can be client of France Connect: users will be able to sign with their France Connect identity – Can be provider of France Connect: France Connect can delegate authentication to LemonLDAP::NG
  24. 24. Thanks for your attention @clementoudot http://sflx.ca/coudot

×