Lemonldap::ng 2.0 is an identity management and single sign-on solution that has evolved since its foundation in 1999, integrating various authentication protocols such as SAML, OpenID, and CAS. It features a responsive AngularJS-based management interface with multiple backend integrations, self-service password management, and compliance with current standards like OpenID Connect. Additionally, it is positioned to interface with France Connect, allowing mutual authentication services between users and the French administration's identity platform.

1. LemonLDAP::NG 2.0 overview
@clementoudot

2. 2
Clément OUDOT
http://sflx.ca/coudot
● Founded in 1999
● >100 persons
● Montréal, Quebec City, Ottawa, Paris
● ISO 9001:2004 / ISO 14001:2008
● contact@savoirfairelinux.com

3. LemonLDAP::NG Presentation

4. 4
Some history
2003 2006 2010 2014
Project
creation
NG
version
V 1.0
SAML
CAS
OpenID
V 1.4 V 2.0
OpenID
Connect
2016

5. 5
Single Sign On
User
Web Application
WebSSO Portal
1
2
3

6. 6
Access Control
User
Web
Application
1
SSO
2
Authorization
3

7. 7
Components
CommonCommon
ManagerManager
HandlerHandler
PortalPortal
Administration
interface
User interactions
Applications protection

8. 8
Authentication backends
LDAPLDAP
ADAD
ApacheApache SAMLSAML
CASCAS RadiusRadius OpenIDOpenID
WebIDWebID
BrowserBrowser
IDID
DBIDBI
YubikeyYubikey

9. 9
Self Service
PasswordPassword
changechange
PasswordPassword
resetreset
AccountAccount
CreationCreation

10. 10
Identity protocols gateway
SAMLSAMLCASCAS
OpenIDOpenID

11. Overview of version 2.0

12. 12
AngularJS Manager
● FrontEnd written with AngularJS
● Responsive design
● Configuration data as JSON
● Import/Export feature
● Edition of multiple values on the same screen
● Possibility to set a log message on save

13. 13

14. 14
Handler API
● No more direct link between Handler and mod_perl
● Creation of an internal API, with implementations:
– Apache mod_perl 1
– Apache mod_perl 2
– CGI
– Nginx
– PSGI

15. 15
Portal skin background

16. 16
CAS attributes exchange
● Conform to CAS 3.0 standard
● Returns attributes in service ticket validation response,
inside <cas:attributes>
● Compatible with phpCAS::getAttributes() function

17. 17
OpenID Connect
● Based on OAuth 2.0 / JOSE
● Specific scope “openid” to receive an ID token
● User consent required to share its identity
● Access token delivered to request UserInfo endpoint
● Already used by Google to manage authentication

18. 18
Roles
Resource owner
(end-user)
Client
(third-party)
Authorization
Server
Resource
Server

19. 19
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource

20. 20
RPRP OPOP
(1) AuthN Request
(2) AuthN & AuthZ
(3) AuthN Response
(4) UserInfo Request
(5) UserInfo Response

21. 21
http://jwt.io/

22. 22

23. 23
France Connect
● French administration choose OpenID Connect for its
next generation authentication platform
● LemonLDAP::NG 2.0 :
– Can be client of France Connect: users will be able to sign
with their France Connect identity
– Can be provider of France Connect: France Connect can
delegate authentication to LemonLDAP::NG

24. Thanks for your attention
@clementoudot
http://sflx.ca/coudot