Jdll 2010 lemon_ldap-ng_100_preview
-
Upload
oudot-clement -
Category
Technology
-
view
1.107 -
download
0
Transcript of Jdll 2010 lemon_ldap-ng_100_preview
LemonLDAP::NG 1.00
Clément OUDOT
JDLL 2010Lyon, France
LemonLDAP::NG
http://lemonldap-ng.org2
10/14/10
Table of contents
● Single Sign On● The LemonLDAP::NG project● How it works● Main features● What's new?
http://lemonldap-ng.org3
10/14/10
Single Sign On
http://lemonldap-ng.org4
10/14/10
Password management
● More and more applications or electronic services requiring our credentials
● When passwords number grows, passwords strength goes down
http://lemonldap-ng.org5
10/14/10
Centralized authentication
● Credentials centralization is a way to decrase passwords number
● This still requires the users to log on every service
http://lemonldap-ng.org6
10/14/10
Single Sign On authentication
● Single Sign On authentication allow users to submit their credentials only once, and to access all trusted applications
● Applications does not manage passwords anymore
● Identity of the user is forwarded to applications by the SSO software
http://lemonldap-ng.org7
10/14/10
Delegation Single Sign On
http://lemonldap-ng.org8
10/14/10
Reverse Proxy Single Sign On
http://lemonldap-ng.org9
10/14/10
The LemonLDAP::NG project
http://lemonldap-ng.org10
10/14/10
History
● LemonLDAP was founded in 2003 by Eric GERMAN (MINEFI) to replace Novell WebSSO product (Novell → llevon → Lemon)
● Like Novell or SiteMinder, LemonLDAP uses HTTP headers to forward user identity
● LemonLDAP::NG is a complete rewrite of LemonLDAP, founded by Xavier GUIMARD (Gendarmerie Nationale) in 2005
● Thomas CHEMINEAU and Clément OUDOT (LINAGORA) complete the core team.
http://lemonldap-ng.org11
10/14/10
Technical implementation
● LemonLDAP::NG main components:● Portal: authentication process, user interaction,
application menu, password change form● Manager: configuration interface, sessions explorer● Handler: Apache agent, manage access
authorizations
● Perl, only Perl, just Perl● Relies on Apache and mod_perl
http://lemonldap-ng.org12
10/14/10
Default architecture
http://lemonldap-ng.org13
10/14/10
How it works
http://lemonldap-ng.org14
10/14/10
Single Sign On process
http://lemonldap-ng.org15
10/14/10
Single Sign On process
1.User tries to access protected application, his request is catched by Handler
2.SSO cookie is not detected, so Handler redirects user to Portal
3.User authenticates on Portal
4.Portal checks authentication
5.If authentication succeed, Portal collect user data
6.Portal creates a session to store user data
7.Portal gets the session key
8.Portal creates SSO cookie with session key as value
9.User is redirected on protected application, with his new cookie
10.Handler gets session get from cookie and gets session
11.Handler stores user data in its cache
12.Handler check access rule and send headers to protected applications
13.Protected application sends response to Handler
14.Handler sends the response to user
http://lemonldap-ng.org16
10/14/10
Authentication process
● Control URL origin: prevent XSS attacks and bad redirections
● Control existing session: detect SSO session, apply configured constraints (1 session per user, 1 session per IP, ...)
● Extract form info: get login/password, certificate, environment variable (depending on authentication module)
● Get user info: contact user database to collect attributes
● Set macros: compute configured macros
● Set groups: request user database to find groups
● Set local groups: compute configured groups
● Authenticate: contact authentication database to check credentials
● Grant session: check rights to open SSO session
● Store: store user info in session database
● Build cookie: build SSO cookie with session ID
● Redirect: redirect user on protected application or on Portal
http://lemonldap-ng.org17
10/14/10
Application protection
● LemonLDAP::NG uses Apache virtual host as application identifier
● Each application owns:● Access rules: each rule refers to an URL pattern,
logout can be caught● HTTP headers: each header contains a session
value, or an evaluated Perl expression● POST data: only used for form replay● Redirection options: protocol and port
http://lemonldap-ng.org18
10/14/10
Examples
● Access rules:● default → accept● ^/admin → $groups =~ /admin/● ^/logout.php → logout_sso
● HTTP headers:● Auth-User → $uid● Auth-Name → uc($sn).", ".ucfirst($gn)
http://lemonldap-ng.org19
10/14/10
Configuration
● Configuration is shared between all components
● It can be stored in:● Local files● SQL database● LDAP directory
● Configuration is also available trough SOAP
http://lemonldap-ng.org20
10/14/10
Configuration interface
http://lemonldap-ng.org21
10/14/10
Cookies and sessions
● Cookies and sessions have lifetime● Sessions can also have an idle timeout● Sessions can be stored in File, LDAP, SQL,
noSQL (Memcached, Redis, Cassandra, …)● Sessions are also available trough SOAP● Cookies can be protected to travel only on
secure connections● Cross domain is managed
http://lemonldap-ng.org22
10/14/10
Main features
http://lemonldap-ng.org23
10/14/10
Authentication methods
● LemonLDAP::NG supports a lot of authentication methods:● LDAP● Database● SSL X509● Apache built-in modules (Kerberos, OTP, ...)● SAML 2.0● OpenID● Twitter● CAS
● Methods can be stacked or displayed together
http://lemonldap-ng.org24
10/14/10
Advanced LDAP integration
● LemonLDAP::NG can use some LDAP specificities:● Protocol v2/v3● Authentication filter● Password policy (account locking, change
constraints, force renewal)● Recursive groups● LDAPS or startTLS
● Active Directory is supported trough LDAP
http://lemonldap-ng.org25
10/14/10
Identity provider
● LemonLDAP::NG is a federation product, allowing services to get user identity trough standard protocols:● SAML 2.0● OpenID 2.0● CAS 1.0 and 2.0
http://lemonldap-ng.org26
10/14/10
SAML 2.0 conformance
IDP SP SLO
Requests and responses issuing
Binding AuthnResponse
AuthnRequest
AttributeRequest
Request Response
HTTP GET OK OK OK OK
HTTP POST OK OK OK OK
Artifact GET OK OK
Artifact POST OK OK
SOAP OK OK OK
Requests and responses consuming
Binding AuthnRequest
AuthnResponse
AttributeResponse
Request Response
HTTP GET OK OK OK OK OK
HTTP POST OK OK OK OK OK
Artifact GET OK OK OK
Artifact POST OK OK OK
SOAP OK OK OK
http://lemonldap-ng.org27
10/14/10
Other SAML 2.0 features
● LemonLDAP::NG is SP, IDP, AA (attribute provider) and proxy IDP
● Common Domain Cookie support● Metadata can be loaded trough HTTP● Each partner can have a specific attribute
mapping● A lot of options to customize SAML requests
and responses
http://lemonldap-ng.org28
10/14/10
What's new?
http://lemonldap-ng.org29
10/14/10
What's new?
● LemonLDAP::NG 1.00 is a real enhancement of previous versions, it's a one year full time work.
● Main changes are:● Single configuration text file (lemonldap-ng.ini)● All configuration parameters in Manager● Issuer interface module (for SAML, CAS, OpenID)● Grant session rule● Authentication levels customization● Authentication choice
http://lemonldap-ng.org30
10/14/10
What's new?
● On community side:● New bug tracker: http://jira.ow2.org● New site: http://lemonldap-ng.org
http://lemonldap-ng.org31
10/14/10
Roadmap
● LemonLDAP::NG 1.00 is a big step, but the way is long
● Some ideas:● Import/export configurations in Manager● XACML/WSF● OAuth● Password wallet for form replay