lemonldap::ng 2.0. ow2con'15, november 17, paris
Post on 06-Apr-2017
242 Views
Preview:
TRANSCRIPT
LemonLDAP::NG 2.0 overview
@clementoudot
2
Clément OUDOThttp://sflx.ca/coudot
● Founded in 1999● >100 persons● Montréal, Quebec City, Ottawa, Paris● ISO 9001:2004 / ISO 14001:2008● contact@savoirfairelinux.com
4
Some history
2003 2006 2010 2014
Project creation
NG version
V 1.0SAMLCAS
OpenID
V 1.4 V 2.0OpenID Connect
2016
7
Components
CommonCommon
ManagerManager HandlerHandler
PortalPortal
Administration interface
User interactions
Applications protection
8
Authentication backends
LDAPLDAPADAD
ApacheApache SAMLSAML
CASCAS RadiusRadius OpenIDOpenID
WebIDWebID
BrowserBrowserIDID
DBIDBI
YubikeyYubikey
9
Self Service
Password Password changechange
Password Password resetreset
Account Account CreationCreation
12
AngularJS Manager
● FrontEnd written with AngularJS● Responsive design● Configuration data as JSON● Import/Export feature● Edition of multiple values on the same screen● Possibility to set a log message on save
14
Handler API
● No more direct link between Handler and mod_perl● Creation of an internal API, with implementations:
– Apache mod_perl 1
– Apache mod_perl 2
– CGI
– Nginx
– PSGI
16
CAS attributes exchange
● Conform to CAS 3.0 standard● Returns attributes in service ticket validation response,
inside <cas:attributes>● Compatible with phpCAS::getAttributes() function
17
OpenID Connect
● Based on OAuth 2.0 / JOSE● Specific scope “openid” to receive an ID token● User consent required to share its identity● Access token delivered to request UserInfo endpoint● Already used by Google to manage authentication
19
Authorization Request
Authorization Grant
Authorization Grant
Access Token
Access Token
Protected Resource
20
RPRP OPOP
(1) AuthN Request
(2) AuthN & AuthZ
(3) AuthN Response
(4) UserInfo Request
(5) UserInfo Response
23
France Connect
● French administration choose OpenID Connect for its next generation authentication platform
● LemonLDAP::NG 2.0 :– Can be client of France Connect: users will be able to sign
with their France Connect identity
– Can be provider of France Connect: France Connect can delegate authentication to LemonLDAP::NG
Thanks for your attention
@clementoudot
http://sflx.ca/coudot
top related