LemonLDAP::NG 2.0. OW2con'15, November 17, Paris.
24
LemonLDAP::NG 2.0 overview @clementoudot
-
Upload
ow2-consortium -
Category
Technology
-
view
242 -
download
1
Transcript of LemonLDAP::NG 2.0. OW2con'15, November 17, Paris.
LemonLDAP::NG 2.0 overview
@clementoudot
2
Clément OUDOThttp://sflx.ca/coudot
● Founded in 1999● >100 persons● Montréal, Quebec City, Ottawa, Paris● ISO 9001:2004 / ISO 14001:2008● [email protected]
LemonLDAP::NG Presentation
4
Some history
2003 2006 2010 2014
Project creation
NG version
V 1.0SAMLCAS
OpenID
V 1.4 V 2.0OpenID Connect
2016
5
Single Sign On
User
Web Application
WebSSO Portal
1
2
3
6
Access Control
UserWeb
Application
1
SSO
2
Authorization
3
7
Components
CommonCommon
ManagerManager HandlerHandler
PortalPortal
Administration interface
User interactions
Applications protection
8
Authentication backends
LDAPLDAPADAD
ApacheApache SAMLSAML
CASCAS RadiusRadius OpenIDOpenID
WebIDWebID
BrowserBrowserIDID
DBIDBI
YubikeyYubikey
9
Self Service
Password Password changechange
Password Password resetreset
Account Account CreationCreation
10
Identity protocols gateway
SAMLSAMLCASCAS
OpenIDOpenID
Overview of version 2.0
12
AngularJS Manager
● FrontEnd written with AngularJS● Responsive design● Configuration data as JSON● Import/Export feature● Edition of multiple values on the same screen● Possibility to set a log message on save
13
14
Handler API
● No more direct link between Handler and mod_perl● Creation of an internal API, with implementations:
– Apache mod_perl 1
– Apache mod_perl 2
– CGI
– Nginx
– PSGI
15
Portal skin background
16
CAS attributes exchange
● Conform to CAS 3.0 standard● Returns attributes in service ticket validation response,
inside <cas:attributes>● Compatible with phpCAS::getAttributes() function
17
OpenID Connect
● Based on OAuth 2.0 / JOSE● Specific scope “openid” to receive an ID token● User consent required to share its identity● Access token delivered to request UserInfo endpoint● Already used by Google to manage authentication
18
Roles
Resource owner(end-user)
Client(third-party)
AuthorizationServer
ResourceServer
19
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
20
RPRP OPOP
(1) AuthN Request
(2) AuthN & AuthZ
(3) AuthN Response
(4) UserInfo Request
(5) UserInfo Response
22
23
France Connect
● French administration choose OpenID Connect for its next generation authentication platform
● LemonLDAP::NG 2.0 :– Can be client of France Connect: users will be able to sign
with their France Connect identity
– Can be provider of France Connect: France Connect can delegate authentication to LemonLDAP::NG
Thanks for your attention
@clementoudot
http://sflx.ca/coudot
