LemonLDAP::NG is a free WebSSO software, implementing CAS, SAML and OpenID Connect protocols The 2.0 version is a major step in LemonLDAP::NG history. It brings brand new features as second factor authentication, SSO as a Service, devops Handler, etc. This talk will present how the software works, and the main new features.

1. LEMONLDAP::NG 2.0
info@worteks.com
FOSDEM 2019FOSDEM 2019FOSDEM 2019FOSDEM 2019

2. 03/02/19 2
LemonLDAP::NG Software

3. 03/02/19 3
SSO Workfow
Authentication
Portal
Application
2. Authentication
1. First access
3. Send SSO Token
Trust link
4. Validate SSO token

4. 03/02/19 4
History
2003
2006
2010
2016
2018
Project creation
Fork – version NG
Protocols CAS, SAML
and OpenID
Version 1.0
Protocol OpenID
Connect
Second factors (2FA)
Version 2.0

5. 03/02/19 5
Main features
●
Web Single Sign On
●
Access control
●
Applications portal
●
Authentication modules choice and chain
●
Password management, account creation
●
Multi-factor authentication (MFA)
●
Protection of Web applications and API/WebServices
●
Graphical customisation
●
Packages for Debian/Ubuntu/RHEL/CentOS

6. 03/02/19 6
Login page

7. 03/02/19 7
Portal with application menu

8. 03/02/19 8
Web Administration interface

9. 03/02/19 9
Command Line Interface

10. 03/02/19 10
Free Software
●
License GPL
●
OW2 project
●
Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
●
Site: https://lemonldap-ng.org
●
OW2 Community Award in 2014
●
SSO component of FusionIAM project: https://fusioniam.org/

11. 03/02/19 11
Component roles
Confgurations Sessions
Portal
Manager Handler
Application
menu
CAS
SAML
OpenID Connect
Self Services
SOAP/REST
server
Session
management
Confgurations Sessions
Notifcations Second factors
Access Control SSOaaS
Web Service
Token
Custom

12. 03/02/19 12
How works the agent (Handler)

13. 03/02/19 13
Web application
Sessions
Portal
Handler
Web Application
Authentication
Session creation
Session read
SSO cookie
HTTP headers

14. 03/02/19 14
Protocols CAS, SAML and OpenID Connect

15. 03/02/19 15
Main features
●
LL::NG can act as client and as server
●
Attributes sharing
●
Manage authentication contexts and levels
●
Autogeneration of public/private keys
●
Access control per services
●
Publication of configuration data (metadata)
●
Multi-protocols gateway
●
Single logout

16. 03/02/19 16
New in LemonLDAP::NG 2.0

17. 17
Second Factor Authentication (2FA)
●
LemonLDAP::NG can use the following 2FA:
●
TOTP
●
U2F
●
TOTP or U2F
●
External
●
REST
●
Yubikey

18. 03/02/19 18
Confguration backends
●
Already existing backends:
●
JSON file
●
Database
●
LDAP
●
NoSQL (MongoDB)
●
SOAP
●
New backends:
●
YAML file
●
REST
●
Local (no backend, only lemonldap-ng.ini file)

19. 03/02/19 19
NodeJS Handler
●
Native integration in Express application
●
Rules and headers configured in Javascript
●
https://github.com/LemonLDAPNG/node-lemonldap-ng-handler
npm install node-lemonldap-ng-handler

20. 03/02/19 20
DevOps (SSO as a Service)
●
Authentication managed by portal
●
Access control and HTTP headers configuration set in a local
JSON file
●
Allow quick applications deployement without need to edit main
SSO configuration

21. 03/02/19 21
DevOps (SSO as a Service)
Sessions
Portal
Handler
Web Application
Authentication
Session creation
Session read
SSO cookie
HTTP headers
rules
.json
Access rules
Exported headers

22. 03/02/19 22
API / WebService protection
●
New Handler "Service Token" installed between application and
WebService
●
Main Handler generates a token based on time session_id and
virtual hosts
●
The token is sent by application to WebService
●
The Handler "Service Token" intercepts the token, validates it
and apply access rules, and sent HTTP headers to WebService

23. 03/02/19 23
API – Service Token
Sessions
Portal
Handler
Web Application
Authentication
Session creation
Session read
SSO cookie
HTTP headers
Token
Handler
Service Token
Web Service Token
HTTP headers
Session read

24. 03/02/19 24
Authentifcation modules
●
New modules:
●
PAM
●
REST
●
Kerberos (GSSAPI)
●
CAS (attributes reading)
●
Multi is replaced by Combination
●
Custom module

25. 03/02/19 25
Administration interface
●
Configurations comparator: differences between two
configurations are displayed in a tree
●
Second factors administration (search, revoke)
●
Sort sessions by creation date or modification date

26. 03/02/19 26
RENATER / eduGAIN
●
Support of RENATER / eduGAIN via SAML2:
●
Service Provider
●
Identity Provider
●
Call to Identity Provider selection page (WAYF) via SAML
Discovery Protocol
●
Metadata bulk import script

27. 03/02/19 27
Plugin engine
●
Portal code was fully rewritten, and it now allows to write
plugins
●
Plugin examples, provided by default:
●
Auto Signin: direct authentication for some IP
●
Brute Force: protect against brute-force attacks
●
Stay Connected: "remember me" button
●
Public Pages: create static pages using portal skin
●
Write a custom plugin:
https://lemonldap-ng.org/documentation/latest/plugincustom

28. 03/02/19 28
Other new features
●
A user can refresh rights without disconnect/reconnect
●
REST services for configurations and sessions
●
Select language before authentication
●
New graphical theme built with Bootstrap 4
●
Logo customization (used in graphical theme and sent mails)
●
Log system choice (syslog, Apache, Log4Perl, Sentry...)

29. 2929
THANKS
Pour plus d’informations :
info@worteks.com
@worteks_com
linkedin.com/company/worteks