Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Upcoming SlideShare
What to Upload to SlideShare
What to Upload to SlideShare
Loading in …3
×
1 of 41

[OW2con19] LemonLDAP::NG success stories

0

Share

Download to read offline

Presentation of LemonLDAP::NG and how it is used by Gendarmerie Nationale and Orange

Related Books

Free with a 30 day trial from Scribd

See all

Related Audiobooks

Free with a 30 day trial from Scribd

See all

[OW2con19] LemonLDAP::NG success stories

  1. 1. LEMONLDAP::NG SUCCESS STORIES
  2. 2. 12/06/2019 2 LemonLDAP::NG Software
  3. 3. 12/06/2019 3 SSO Workflow Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token
  4. 4. 12/06/2019 4 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
  5. 5. 12/06/2019 5 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
  6. 6. 12/06/2019 6 Login page
  7. 7. 12/06/2019 7 Portal with application menu
  8. 8. 12/06/2019 8 Web Administration interface
  9. 9. 12/06/2019 9 Command Line Interface
  10. 10. 12/06/2019 10 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 ● SSO component of FusionIAM project: https://fusioniam.org/
  11. 11. 12/06/2019 11 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
  12. 12. 12/06/2019 12 Web application Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
  13. 13. 12/06/2019 13 CAS, SAML and OpenID Connect ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
  14. 14. 12/06/2019 14 Second Factor Authentication (2FA) ● LemonLDAP::NG can use the following 2FA: ● TOTP ● U2F ● TOTP or U2F ● Mail ● External ● REST ● Yubikey
  15. 15. 12/06/2019 15 DevOps (SSO as a Service) Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers rules .json Access rules Exported headers
  16. 16. 12/06/2019 16 API – Service Token Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
  17. 17. 12/06/2019 17 OpenID Connect / OAuth2 Sessions Portal Handler Web Application Authentication Session creation Session read OAuth2 Access Token HTTP headers
  18. 18. 12/06/2019 18 RENATER / eduGAIN ● Support of RENATER / eduGAIN via SAML2: ● Service Provider ● Identity Provider ● Call to Identity Provider selection page (WAYF) via SAML Discovery Protocol ● Metadata bulk import script
  19. 19. 12/06/2019 19 Plugin engine ● Portal code was fully rewritten, and it now allows to write plugins ● Plugin examples, provided by default: ● Auto Signin: direct authentication for some IP ● Brute Force: protect against brute-force attacks ● Stay Connected: "remember me" button ● Public Pages: create static pages using portal skin ● Impersonation: take the identity of another user ● Write a custom plugin: https://lemonldap-ng.org/documentation/latest/plugincustom
  20. 20. 12/06/2019 20 The beginning of the journey
  21. 21. 12/06/2019 2105/06/2019 Orange is a complex environment… With many people and kind of skills With thousands applications In a full motion environment
  22. 22. 12/06/2019 22 Orange is a complex environment in complex world… § Orange made or bought. § Including SSO compatibility or not. § Accessible from Internet or Intranet. § Security access level specific for each. § Each application has its own livecyle. § Our users want the same quality on work tools than on the personnal offer on Internet. § Rise of « fashion tool ». Long time parthnerships § Orange people § Contractors § Partners § Universities On demand relationships § Freelances with few days contracts With many people and kind of skills With thousands applications In a full motion environment
  23. 23. 12/06/2019 23 …With the constraints and needs than others… Manage all identification / authentication cases Manage all identification / authentication cases Allow access from different contexts Allow access from different contexts Keep things as transparent as possible for users Keep things as transparent as possible for users Manage all kinds of users Manage all kinds of users Provide many types of protocols Provide many types of protocols Guaranty high security level Guaranty high security level Flexible to support futur Flexible to support futur Guaranty a high availability level Guaranty a high availability level Keep It Complex Stupid Keep It Complex Stupid Simple Have a single system to authenticate users Have a single system to authenticate users
  24. 24. 12/06/2019 24 …So we are building a scalable LemonLDAP::NG infrastructure… ConfigConfig SessionsSessions ConfigConfig SessionsSessions Kerber os Kerber os 11 then if user come from internal SAML A P P L I C A T I O N S A P P L I C A T I O N S E X T E R N A L E X T E R N A L I N T E R N A L I N T E R N A L HA int HA int Lemon int 1 Lemon int 1 Lemon int 2 Lemon int 2 HA ext HA ext Lemon ext 1 Lemon ext 1 Lemon ext 2 Lemon ext 2 OidCOidC 22 REST  LDAP REST  LDAP 33 LDAPLDAP 44 External accounts External accounts Orange accounts Orange accounts
  25. 25. 12/06/2019 25 ...And we are at the beginning of the journey... We have tested LemonLdap in real conditions on many applications used by innovation people:
  26. 26. 12/06/2019 26 …Under industrialisation by a specialized team. Another team to « build » Another team to « build » First team to « think » First team to « think » - Test LemonLdap and try to get its limits - Test the potential architectures - Test intégration with about 20 applications (gitlab, nextcloud, jira & confluence, Dokuwiki, Apache 2, Flexible Engine, Grafana, WebCom, WordPress, OpenStack…). - Test authentication protocols and ways (OTP, …) - Test LemonLdap and try to get its limits - Test the potential architectures - Test intégration with about 20 applications (gitlab, nextcloud, jira & confluence, Dokuwiki, Apache 2, Flexible Engine, Grafana, WebCom, WordPress, OpenStack…). - Test authentication protocols and ways (OTP, …) - Get the results of the previous level to create an « industrial solution » able to support millions people. - Get the results of the previous level to create an « industrial solution » able to support millions people. Final team to« Run » Final team to« Run »
  27. 27. 12/06/2019 27 Orange-Worteks Partnership ● Worteks offers a framework contract for support around LemonLDAP::NG and other free softwares, with two parts: ● Incident management: a ticket can be opened to solve any fault on a production or development system (business hours) ● Evolutions: a request can be done to fix bugs or code new features in the software ● Any Orange Business Unit can request a contract, prices are already defined ● It can then contribute to LemonLDAP::NG roadmap by requesting evolutions
  28. 28. 12/06/2019 2805/06/2019 28 Thanks to all the contributors Thank you to all the contributors to this project, for their competence, their good humor and their motivation that are overcoming all the problems that veinly tried to stand up against us: ● The LemonLDAP::NG Team (Clément, Xavier and all the others). ● Worteks for the support. ● Orange internal contributors : Christian P., Laurence T. , Daniel V., David M., Ronan H.B., Aurelien P., Alexandre L., Jean-Louis F. ● All others success keys in this project:
  29. 29. 12/06/2019 29 Gendarmerie Nationale ST(SI)²
  30. 30. 12/06/2019 30 History ● 2002: First WebSSO GN (SiteMinder) ● Licencing cost : 90 k€/year for 5000 users (target ~1 M€/year) → Take LemonLDAP over from the Ministry of finance ● 2005: Development of LL::NG (fork), SSO now used by (almost) all civil services
  31. 31. 12/06/2019 31 Budget ● Project build (excluding machine cost) : ● Between 2005 and 2015: ~ 150 k€ ● 2015 : 100 K€ ● 2016 & 2017: 0 € ● 2018 : 25 k€ ● 2019 : 0 €
  32. 32. 12/06/2019 32 Technical team for all ST(SI) SSO² ● X. Guimard : Lead developer LL::NG ● S. Marcq : Project manager ● A. Rosier & C.Maudoux : developers and administrators
  33. 33. 12/06/2019 33 Platforms ● Proxyma → GN ● CheopsNG → PN ● PSI → SP (SAML with interior security services) ● Judiweb → SP RIE (government network) ● Curasso & Espresso → internet SSO ● SAML with 12 civil services
  34. 34. 12/06/2019 34 Proxyma : SSO GN ● ~ 22 millions requests / day ● ~ 65 000 unique users / day ● 253 different applications used / day ● 12 reverse proxies ● 7 LDAP servers ● 4 portals
  35. 35. 12/06/2019 35 Top 10 connection’s peak during 10 min
  36. 36. 12/06/2019 36 Top 10 event’s peak during 10 min
  37. 37. 12/06/2019 37 Top 10 unique user’s peak during 10 min
  38. 38. 12/06/2019 38 Unique users / month
  39. 39. 12/06/2019 39 « good authentification » / month
  40. 40. 12/06/2019 40 2019/2020 Evolution ● Upgrade all platform → LL::NG 2.0 ● Connect Agent implementation ● 2FA implementation ● Cloud : SSO as a service (handler devops + scalability)
  41. 41. 4141 THANKS Pour plus d’informations : info@worteks.com @worteks_com linkedin.com/company/worteks

×