L E M O N L D A P : : N G 2 . 0 F F O O S S D - - PowerPoint PPT Presentation

l e m o n l d a p n g 2 0 f f o o s s d d e e m m 2 2 0 0
SMART_READER_LITE
LIVE PREVIEW

L E M O N L D A P : : N G 2 . 0 F F O O S S D - - PowerPoint PPT Presentation

Aug 08, 2023 255 likes •561 views

L E M O N L D A P : : N G 2 . 0 F F O O S S D D E E M M 2 2 0 0 1 1 9 9 F F O O S S D D E E M M 2 2 0 0 1 1 9 9 i n f o @ w o r t e k s . c o m L e mo n L D A P : : N

slide-1
SLIDE 1

L E M O N L D A P : : N G 2 .

i n f

  • @

w

  • r

t e k s . c

  • m

F O S D E M 2 1 9 F O S D E M 2 1 9 F O S D E M 2 1 9 F O S D E M 2 1 9

slide-2
SLIDE 2

3 / 2 / 1 9

2

L e mo n L D A P : : N G S

  • f

t w a r e

slide-3
SLIDE 3

3 / 2 / 1 9

3

S S O Wo r k fl

  • w

A u t h e n t i c a t i

  • n

P

  • r

t a l A p p l i c a t i

  • n

2 . A u t h e n t i c a t i

  • n

1 . F i r s t a c c e s s 3 . S e n d S S O T

  • k

e n

T r u s t l i n k

4 . V a l i d a t e S S O t

  • k

e n

slide-4
SLIDE 4

3 / 2 / 1 9

4

H i s t

  • r

y

2 3 2 6 2 1 2 1 6 2 1 8

P r

  • j

e c t c r e a t i

  • n

F

  • r

k – v e r s i

  • n

N G P r

  • t
  • c
  • l

s C A S , S A M L a n d O p e n I D V e r s i

  • n

1 . P r

  • t
  • c
  • l

O p e n I D C

  • n

n e c t S e c

  • n

d f a c t

  • r

s ( 2 F A ) V e r s i

  • n

2 .

slide-5
SLIDE 5

3 / 2 / 1 9

5

M a i n f e a t u r e s

  • Web Single Sign On
  • Access control
  • Applications portal
  • Authentication modules choice and chain
  • Password management, account creation
  • Multi-factor authentication (MFA)
  • Protection of Web applications and API/WebServices
  • Graphical customisation
  • Packages for Debian/Ubuntu/RHEL/CentOS
slide-6
SLIDE 6

3 / 2 / 1 9

6

L

  • g

i n p a g e

slide-7
SLIDE 7

3 / 2 / 1 9

7

P

  • r

t a l w i t h a p p l i c a t i

  • n

me n u

slide-8
SLIDE 8

3 / 2 / 1 9

8

We b A d mi n i s t r a t i

  • n

i n t e r f a c e

slide-9
SLIDE 9

3 / 2 / 1 9

9

C

  • mma

n d L i n e I n t e r f a c e

slide-10
SLIDE 10

3 / 2 / 1 9

1

F r e e S

  • f

t w a r e

  • License GPL
  • OW2 project
  • Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng
  • Site: https://lemonldap-ng.org
  • OW2 Community Award in 2014
  • SSO component of FusionIAM project: https://fusioniam.org/
slide-11
SLIDE 11

3 / 2 / 1 9

1 1

C

  • mp
  • n

e n t r

  • l

e s

C

  • n

fi g u r a t i

  • n

s S e s s i

  • n

s P

  • r

t a l M a n a g e r H a n d l e r A p p l i c a t i

  • n

me n u C A S S A M L O p e n I D C

  • n

n e c t S e l f S e r v i c e s S O A P / R E S T s e r v e r S e s s i

  • n

ma n a g e me n t C

  • n

fi g u r a t i

  • n

s S e s s i

  • n

s N

  • t

i fi c a t i

  • n

s S e c

  • n

d f a c t

  • r

s A c c e s s C

  • n

t r

  • l

S S O a a S We b S e r v i c e T

  • k

e n C u s t

  • m
slide-12
SLIDE 12

3 / 2 / 1 9

1 2

H

  • w

w

  • r

k s t h e a g e n t ( H a n d l e r )

slide-13
SLIDE 13

3 / 2 / 1 9

1 3

We b a p p l i c a t i

  • n

S e s s i

  • n

s

P

  • r

t a l H a n d l e r We b A p p l i c a t i

  • n

A u t h e n t i c a t i

  • n

S e s s i

  • n

c r e a t i

  • n

S e s s i

  • n

r e a d S S O c

  • k

i e H T T P h e a d e r s

slide-14
SLIDE 14

3 / 2 / 1 9

1 4

P r

  • t
  • c
  • l

s C A S , S A M L a n d O p e n I D C

  • n

n e c t

slide-15
SLIDE 15

3 / 2 / 1 9

1 5

M a i n f e a t u r e s

  • LL::NG can act as client and as server
  • Attributes sharing
  • Manage authentication contexts and levels
  • Autogeneration of public/private keys
  • Access control per services
  • Publication of configuration data (metadata)
  • Multi-protocols gateway
  • Single logout
slide-16
SLIDE 16

3 / 2 / 1 9

1 6

N e w i n L e mo n L D A P : : N G 2 .

slide-17
SLIDE 17

1 7

S e c

  • n

d F a c t

  • r

A u t h e n t i c a t i

  • n

( 2 F A )

  • LemonLDAP::NG can use the following 2FA:
  • TOTP
  • U2F
  • TOTP or U2F
  • External
  • REST
  • Yubikey
slide-18
SLIDE 18

3 / 2 / 1 9

1 8

C

  • n

fi g u r a t i

  • n

b a c k e n d s

  • Already existing backends:
  • JSON file
  • Database
  • LDAP
  • NoSQL (MongoDB)
  • SOAP
  • New backends:
  • YAML file
  • REST
  • Local (no backend, only lemonldap-ng.ini file)
slide-19
SLIDE 19

3 / 2 / 1 9

1 9

N

  • d

e J S H a n d l e r

  • Native integration in Express application
  • Rules and headers configured in Javascript
  • https://github.com/LemonLDAPNG/node-lemonldap-ng-handler

npm install node-lemonldap-ng-handler

slide-20
SLIDE 20

3 / 2 / 1 9

2

D e v O p s ( S S O a s a S e r v i c e )

  • Authentication managed by portal
  • Access control and HTTP headers configuration set in a local

JSON file

  • Allow quick applications deployement without need to edit main

SSO configuration

slide-21
SLIDE 21

3 / 2 / 1 9

2 1

D e v O p s ( S S O a s a S e r v i c e )

S e s s i

  • n

s

P

  • r

t a l H a n d l e r We b A p p l i c a t i

  • n

A u t h e n t i c a t i

  • n

S e s s i

  • n

c r e a t i

  • n

S e s s i

  • n

r e a d S S O c

  • k

i e H T T P h e a d e r s

r u l e s . j s

  • n

A c c e s s r u l e s E x p

  • r

t e d h e a d e r s

slide-22
SLIDE 22

3 / 2 / 1 9

2 2

A P I / We b S e r v i c e p r

  • t

e c t i

  • n
  • New Handler "Service Token" installed between application and

WebService

  • Main Handler generates a token based on time session_id and

virtual hosts

  • The token is sent by application to WebService
  • The Handler "Service Token" intercepts the token, validates it

and apply access rules, and sent HTTP headers to WebService

slide-23
SLIDE 23

3 / 2 / 1 9

2 3

A P I – S e r v i c e T

  • k

e n

S e s s i

  • n

s

P

  • r

t a l H a n d l e r We b A p p l i c a t i

  • n

A u t h e n t i c a t i

  • n

S e s s i

  • n

c r e a t i

  • n

S e s s i

  • n

r e a d S S O c

  • k

i e H T T P h e a d e r s T

  • k

e n

H a n d l e r S e r v i c e T

  • k

e n We b S e r v i c e

T

  • k

e n H T T P h e a d e r s S e s s i

  • n

r e a d

slide-24
SLIDE 24

3 / 2 / 1 9

2 4

A u t h e n t i fi c a t i

  • n

mo d u l e s

  • New modules:
  • PAM
  • REST
  • Kerberos (GSSAPI)
  • CAS (attributes reading)
  • Multi is replaced by Combination
  • Custom module
slide-25
SLIDE 25

3 / 2 / 1 9

2 5

A d mi n i s t r a t i

  • n

i n t e r f a c e

  • Configurations comparator: differences between two

configurations are displayed in a tree

  • Second factors administration (search, revoke)
  • Sort sessions by creation date or modification date
slide-26
SLIDE 26

3 / 2 / 1 9

2 6

R E N A T E R / e d u G A I N

  • Support of RENATER / eduGAIN via SAML2:
  • Service Provider
  • Identity Provider
  • Call to Identity Provider selection page (WAYF) via SAML

Discovery Protocol

  • Metadata bulk import script
slide-27
SLIDE 27

3 / 2 / 1 9

2 7

P l u g i n e n g i n e

  • Portal code was fully rewritten, and it now allows to write

plugins

  • Plugin examples, provided by default:
  • Auto Signin: direct authentication for some IP
  • Brute Force: protect against brute-force attacks
  • Stay Connected: "remember me" button
  • Public Pages: create static pages using portal skin
  • Write a custom plugin:

https://lemonldap-ng.org/documentation/latest/plugincustom

slide-28
SLIDE 28

3 / 2 / 1 9

2 8

O t h e r n e w f e a t u r e s

  • A user can refresh rights without disconnect/reconnect
  • REST services for configurations and sessions
  • Select language before authentication
  • New graphical theme built with Bootstrap 4
  • Logo customization (used in graphical theme and sent mails)
  • Log system choice (syslog, Apache, Log4Perl, Sentry...)
slide-29
SLIDE 29

2 9 2 9

T H A N K S

P

  • u

r p l u s d ’ i n f

  • r

m a t i

  • n

s : i n f

  • @

w

  • r

t e k s . c

  • m

@ w

  • r

t e k s _ c

  • m

l i n k e d i n . c

  • m

/ c

  • mp

a n y / w

  • r

t e k s