Jdll 2010 lemon_ldap-ng_100_preview

LemonLDAP::NG 1.00

Clément OUDOT

JDLL 2010Lyon, France

LemonLDAP::NG

http://lemonldap-ng.org2

10/14/10

Table of contents

● Single Sign On● The LemonLDAP::NG project● How it works● Main features● What's new?


10/14/10

Single Sign On


10/14/10

Password management

● More and more applications or electronic services requiring our credentials

● When passwords number grows, passwords strength goes down


10/14/10

Centralized authentication

● Credentials centralization is a way to decrase passwords number

● This still requires the users to log on every service


10/14/10

Single Sign On authentication

● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications

● Applications does not manage passwords anymore

● Identity of the user is forwarded to applications by the SSO software


10/14/10

Delegation Single Sign On


10/14/10

Reverse Proxy Single Sign On


10/14/10

The LemonLDAP::NG project


10/14/10

History

● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon)

● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity

● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005

● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team.


10/14/10

Technical implementation

● LemonLDAP::NG main components:● Portal: authentication process, user interaction,

application menu, password change form● Manager: configuration interface, sessions explorer● Handler: Apache agent, manage access

authorizations

● Perl, only Perl, just Perl● Relies on Apache and mod_perl


10/14/10

Default architecture


10/14/10

How it works


10/14/10

Single Sign On process


10/14/10

Single Sign On process

1.User tries to access protected application, his request is catched by Handler

2.SSO cookie is not detected, so Handler redirects user to Portal

3.User authenticates on Portal

4.Portal checks authentication

5.If authentication succeed, Portal collect user data

6.Portal creates a session to store user data

7.Portal gets the session key

8.Portal creates SSO cookie with session key as value

9.User is redirected on protected application, with his new cookie

10.Handler gets session get from cookie and gets session

11.Handler stores user data in its cache

12.Handler check access rule and send headers to protected applications

13.Protected application sends response to Handler

14.Handler sends the response to user


10/14/10

Authentication process

● Control URL origin: prevent XSS attacks and bad redirections

● Control existing session: detect SSO session, apply configured constraints (1 session per user, 1 session per IP, ...)

● Extract form info: get login/password, certificate, environment variable (depending on authentication module)

● Get user info: contact user database to collect attributes

● Set macros: compute configured macros

● Set groups: request user database to find groups

● Set local groups: compute configured groups

● Authenticate: contact authentication database to check credentials

● Grant session: check rights to open SSO session

● Store: store user info in session database

● Build cookie: build SSO cookie with session ID

● Redirect: redirect user on protected application or on Portal


10/14/10

Application protection

● LemonLDAP::NG uses Apache virtual host as application identifier

● Each application owns:● Access rules: each rule refers to an URL pattern,

logout can be caught● HTTP headers: each header contains a session

value, or an evaluated Perl expression● POST data: only used for form replay● Redirection options: protocol and port


10/14/10

Examples

● Access rules:● default → accept● ^/admin → $groups =~ /admin/● ^/logout.php → logout_sso

● HTTP headers:● Auth-User → $uid● Auth-Name → uc($sn).", ".ucfirst($gn)


10/14/10

Configuration

● Configuration is shared between all components

● It can be stored in:● Local files● SQL database● LDAP directory

● Configuration is also available trough SOAP


10/14/10

Configuration interface


10/14/10

Cookies and sessions

● Cookies and sessions have lifetime● Sessions can also have an idle timeout● Sessions can be stored in File, LDAP, SQL,

noSQL (Memcached, Redis, Cassandra, …)● Sessions are also available trough SOAP● Cookies can be protected to travel only on

secure connections● Cross domain is managed


10/14/10

Main features


10/14/10

Authentication methods

● LemonLDAP::NG supports a lot of authentication methods:● LDAP● Database● SSL X509● Apache built-in modules (Kerberos, OTP, ...)● SAML 2.0● OpenID● Twitter● CAS

● Methods can be stacked or displayed together


10/14/10

Advanced LDAP integration

● LemonLDAP::NG can use some LDAP specificities:● Protocol v2/v3● Authentication filter● Password policy (account locking, change

constraints, force renewal)● Recursive groups● LDAPS or startTLS

● Active Directory is supported trough LDAP


10/14/10

Identity provider

● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols:● SAML 2.0● OpenID 2.0● CAS 1.0 and 2.0


10/14/10

SAML 2.0 conformance

IDP SP SLO

Requests and responses issuing

Binding AuthnResponse

AuthnRequest

AttributeRequest

Request Response

HTTP GET OK OK OK OK

HTTP POST OK OK OK OK

Artifact GET OK OK

Artifact POST OK OK

SOAP OK OK OK

Requests and responses consuming

Binding AuthnRequest

AuthnResponse

AttributeResponse

Request Response

HTTP GET OK OK OK OK OK

HTTP POST OK OK OK OK OK

Artifact GET OK OK OK

Artifact POST OK OK OK

SOAP OK OK OK


10/14/10

Other SAML 2.0 features

● LemonLDAP::NG is SP, IDP, AA (attribute provider) and proxy IDP

● Common Domain Cookie support● Metadata can be loaded trough HTTP● Each partner can have a specific attribute

mapping● A lot of options to customize SAML requests

and responses


10/14/10

What's new?


10/14/10

What's new?

● LemonLDAP::NG 1.00 is a real enhancement of previous versions, it's a one year full time work.

● Main changes are:● Single configuration text file (lemonldap-ng.ini)● All configuration parameters in Manager● Issuer interface module (for SAML, CAS, OpenID)● Grant session rule● Authentication levels customization● Authentication choice


10/14/10

What's new?

● On community side:● New bug tracker: http://jira.ow2.org● New site: http://lemonldap-ng.org

http://jira.ow2.org/

http://lemonldap-ng.org/


10/14/10

Roadmap

● LemonLDAP::NG 1.00 is a big step, but the way is long

● Some ideas:● Import/export configurations in Manager● XACML/WSF● OAuth● Password wallet for form replay


10/14/10

Try it now!

http://lemonldap-ng.org

http://lemonldap-ng.org/

Jdll 2010 lemon_ldap-ng_100_preview

Technology

Transcript of Jdll 2010 lemon_ldap-ng_100_preview