L E M O N L D A P : : N G 2 . 0 F F O O S S D D E E M M 2 2 0 0 1 1 9 9 F F O O S S D D E E M M 2 2 0 0 1 1 9 9 i n f o @ w o r t e k s . c o m
L e mo n L D A P : : N G S o f t w a r e 2 0 3 / 0 2 / 1 9
S S O Wo r k fl o w 2 . A u t h e n t i c a t i o n 1 . F i r s t a c c e s s 3 . S e n d S S O T o k e n 4 . V a l i d a t e S S O t o k e n A u t h e n t i c a t i o n T r u s t l i n k A p p l i c a t i o n P o r t a l 3 0 3 / 0 2 / 1 9
H i s t o r y S e c o n d f a c t o r s ( 2 F A ) V e r s i o n 2 . 0 P r o t o c o l O p e n I D C o n n e c t P r o t o c o l s C A S , S A M L 2 0 1 8 a n d O p e n I D V e r s i o n 1 . 0 2 0 1 6 F o r k – v e r s i o n N G P r o j e c t c r e a t i o n 2 0 1 0 2 0 0 6 2 0 0 3 4 0 3 / 0 2 / 1 9
M a i n f e a t u r e s ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS 5 0 3 / 0 2 / 1 9
L o g i n p a g e 6 0 3 / 0 2 / 1 9
P o r t a l w i t h a p p l i c a t i o n me n u 7 0 3 / 0 2 / 1 9
We b A d mi n i s t r a t i o n i n t e r f a c e 8 0 3 / 0 2 / 1 9
C o mma n d L i n e I n t e r f a c e 9 0 3 / 0 2 / 1 9
F r e e S o f t w a r e ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 ● SSO component of FusionIAM project: https://fusioniam.org/ 1 0 0 3 / 0 2 / 1 9
C o mp o n e n t r o l e s P o r t a l C A S A p p l i c a t i o n S O A P / R E S T S e s s i o n S A M L S e l f S e r v i c e s me n u s e r v e r ma n a g e me n t O p e n I D C o n n e c t M a n a g e r H a n d l e r C o n fi g u r a t i o n s S e s s i o n s A c c e s s C o n t r o l S S O a a S We b S e r v i c e N o t i fi c a t i o n s S e c o n d f a c t o r s C o n fi g u r a t i o n s S e s s i o n s C u s t o m T o k e n 1 1 0 3 / 0 2 / 1 9
H o w w o r k s t h e a g e n t ( H a n d l e r ) 1 2 0 3 / 0 2 / 1 9
We b a p p l i c a t i o n A u t h e n t i c a t i o n S S O c o o k i e S e s s i o n c r e a t i o n P o r t a l S e s s i o n r e a d H a n d l e r S e s s i o n s H T T P h e a d e r s We b A p p l i c a t i o n 1 3 0 3 / 0 2 / 1 9
P r o t o c o l s C A S , S A M L a n d O p e n I D C o n n e c t 1 4 0 3 / 0 2 / 1 9
M a i n f e a t u r e s ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout 1 5 0 3 / 0 2 / 1 9
N e w i n L e mo n L D A P : : N G 2 . 0 1 6 0 3 / 0 2 / 1 9
S e c o n d F a c t o r A u t h e n t i c a t i o n ( 2 F A ) ● LemonLDAP::NG can use the following 2FA: TOTP ● U2F ● TOTP or U2F ● External ● REST ● Yubikey ● 1 7
C o n fi g u r a t i o n b a c k e n d s ● Already existing backends: JSON file ● Database ● LDAP ● NoSQL (MongoDB) ● SOAP ● ● New backends: YAML file ● REST ● Local (no backend, only lemonldap-ng.ini file) ● 1 8 0 3 / 0 2 / 1 9
N o d e J S H a n d l e r ● Native integration in Express application ● Rules and headers configured in Javascript ● https://github.com/LemonLDAPNG/node-lemonldap-ng-handler npm install node-lemonldap-ng-handler 1 9 0 3 / 0 2 / 1 9
D e v O p s ( S S O a s a S e r v i c e ) ● Authentication managed by portal ● Access control and HTTP headers configuration set in a local JSON file ● Allow quick applications deployement without need to edit main SSO configuration 2 0 0 3 / 0 2 / 1 9
D e v O p s ( S S O a s a S e r v i c e ) A u t h e n t i c a t i o n S S O c o o k i e S e s s i o n c r e a t i o n P o r t a l S e s s i o n r e a d H a n d l e r A c c e s s r u l e s E x p o r t e d h e a d e r s S e s s i o n s H T T P h e a d e r s r u l e s We b A p p l i c a t i o n . j s o n 2 1 0 3 / 0 2 / 1 9
A P I / We b S e r v i c e p r o t e c t i o n ● New Handler "Service Token" installed between application and WebService ● Main Handler generates a token based on time session_id and virtual hosts ● The token is sent by application to WebService ● The Handler "Service Token" intercepts the token, validates it and apply access rules, and sent HTTP headers to WebService 2 2 0 3 / 0 2 / 1 9
A P I – S e r v i c e T o k e n S S O c o o k i e A u t h e n t i c a t i o n S e s s i o n r e a d H a n d l e r S e s s i o n c r e a t i o n P o r t a l S e s s i o n s H T T P h e a d e r s S e s s i o n r e a d T o k e n H T T P h e a d e r s We b S e r v i c e H a n d l e r T o k e n We b A p p l i c a t i o n S e r v i c e T o k e n 2 3 0 3 / 0 2 / 1 9
A u t h e n t i fi c a t i o n mo d u l e s ● New modules: PAM ● REST ● Kerberos (GSSAPI) ● CAS (attributes reading) ● ● Multi is replaced by Combination ● Custom module 2 4 0 3 / 0 2 / 1 9
A d mi n i s t r a t i o n i n t e r f a c e ● Configurations comparator: differences between two configurations are displayed in a tree ● Second factors administration (search, revoke) ● Sort sessions by creation date or modification date 2 5 0 3 / 0 2 / 1 9
R E N A T E R / e d u G A I N ● Support of RENATER / eduGAIN via SAML2: Service Provider ● Identity Provider ● ● Call to Identity Provider selection page (WAYF) via SAML Discovery Protocol ● Metadata bulk import script 2 6 0 3 / 0 2 / 1 9
P l u g i n e n g i n e ● Portal code was fully rewritten, and it now allows to write plugins ● Plugin examples, provided by default: Auto Signin: direct authentication for some IP ● Brute Force: protect against brute-force attacks ● Stay Connected: "remember me" button ● Public Pages: create static pages using portal skin ● ● Write a custom plugin: https://lemonldap-ng.org/documentation/latest/plugincustom 2 7 0 3 / 0 2 / 1 9
O t h e r n e w f e a t u r e s ● A user can refresh rights without disconnect/reconnect ● REST services for configurations and sessions ● Select language before authentication ● New graphical theme built with Bootstrap 4 ● Logo customization (used in graphical theme and sent mails) ● Log system choice (syslog, Apache, Log4Perl, Sentry...) 2 8 0 3 / 0 2 / 1 9
T H A N K S P o u r p l u s d ’ i n f o r m a t i o n s : i n f o @ w o r t e k s . c o m @ w o r t e k s _ c o m 2 9 2 9 l i n k e d i n . c o m / c o mp a n y / w o r t e k s
Recommend
More recommend