SlideShare une entreprise Scribd logo

Lemonldap::NG, open-source Web-SSO of the french administrations

X
xguimard

Feedback and use cases of Lemonldap::NG

Technologie
1  sur  19
Télécharger pour lire hors ligne
Open-Source Web-SSO of the french administrations
What is « Gendarmerie Nationale » 4300 agencies ● (300 overseas) 105000 users ● 1 private network ● connecting all agencies 2 datacenters ●
What is Lemonldap::NG A powerful distributed Web-SSO system : ● an assembly of well tested open-source libraries ● based on ModPerl API to run inside Apache ● It centrally manages authentication, user's ● attributes propagation and access control It includes a sophisticated access rights ● management
History of the project 2002 : First Web-SSO launched on the Gendarmerie's network ● 2003 : Lemonldap developed by the Ministry of finance ● 2004 : Studies to replace existing Gendarmerie's Web-SSO ● 2005 : Lemonldap::NG developped and deployed by ● Gendarmerie 2006 : Lemonldap::NG is chosen by Feder-Id project to ● become a Liberty-Alliance Service Provider 2009 : Gendarmerie is funding the SAML-2 extension ●
Lemonldap::NG on the Gendarmerie's network 105.000 users ● average of 40,000 sessions at the same time ● about 100 protected applications (98% of the whole) ● among which : all specific applications (J2EE and PHP) ● SAP ● Fudforum ● Mediawiki ● Sympa management interface ● Nagios (all applications based on Apache htaccess) ● ... ●
Feedback and use cases
Double cookie Separated protection for HTTP and HTTPS ● connections, so that less secured applications don't weaken the other ones POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
Internet authentication « Proxy-Cookie » enables the Single-Sign-On ● to control the access to Internet POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
Internet authentication
Performances Overhead of 3ms per hit ● Average of 40.000 sessions at the same time ● servers can check more than 3000 queries by ● minutes without any slowdown
Session Explorer
Development environment Principles : ● developers must have a valid account (the « real ● user's account ») they can choose any other account (the « spoofed ● user's account ») to test access control accounting and access rules involve both spoofed ● user's and real user's attributes
Login form
Session Explorer Accounting is done with both identities (spoofed user's / real user's)
Sharing authentication with remote applications Extending the core environment with additional ● features to enable sharing of authentication with remote applications : only a short list of attributes is exported to remote ● applications
Principles
Client-Server over HTTP Lemonldap::NG provides 2 ways to control ● access from non-browser clients : SOAP authentication : the client gets a cookie with ● a SOAP request, then uses the cookie as a normal browser HTTP Auth-Basic authentication : the application is ● protected by an agent (handler) which requests the portal by SOAP using user/password transmitted by the client (by Auth-Basic mechanism) : authorization still uses Lemonldap::NG rules –
Conclusion Cost of the project (for the Gendarmerie) : ● 4 servers ● 4 months of work for 1 developper ● Result : ● a flexible and suitable solution ●
Any questions ?

Recommandé

WebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGWebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGClément OUDOT
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectClément OUDOT
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server WorksMer Joyce
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Reverse proxy
Reverse proxyReverse proxy
Reverse proxyProxies Rent
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 

Recommandé

WebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGWebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGClément OUDOT
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectClément OUDOT
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server WorksMer Joyce
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Reverse proxy
Reverse proxyReverse proxy
Reverse proxyProxies Rent
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 
Http Proxy Server
Http Proxy ServerHttp Proxy Server
Http Proxy ServerSourav Roy
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy servergreatbury
 
Proxy Presentation
Proxy PresentationProxy Presentation
Proxy Presentationprimeteacher32
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptAnitha Selvan
 
Proxy server
Proxy serverProxy server
Proxy serverProxies Rent
 
Firewall with proxy server.
Firewall with proxy server.Firewall with proxy server.
Firewall with proxy server.stableproxies
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 
Proxy server
Proxy serverProxy server
Proxy serverDlovan Salih
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Pablo Monterde Perez
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolMasud Rahman
 
Web Proxy Server
Web Proxy ServerWeb Proxy Server
Web Proxy ServerMohit Dhankher
 
Cc proxy
Cc proxyCc proxy
Cc proxyTrường Tiền
 
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)Dave Bost
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy ServerLakshyaArora12
 
Proxy
ProxyProxy
ProxyTriad Square InfoSec
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
Silverlight 2
Silverlight 2Silverlight 2
Silverlight 2Dave Bost
 
Wso2 esb-maintenance-guide
Wso2 esb-maintenance-guideWso2 esb-maintenance-guide
Wso2 esb-maintenance-guideChanaka Fernando
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 

Contenu connexe

Tendances

Http Proxy Server
Http Proxy ServerHttp Proxy Server
Http Proxy ServerSourav Roy
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy servergreatbury
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptAnitha Selvan
 
Firewall with proxy server.
Firewall with proxy server.Firewall with proxy server.
Firewall with proxy server.stableproxies
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Pablo Monterde Perez
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolMasud Rahman
 
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)Dave Bost
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy ServerLakshyaArora12
 
Silverlight 2
Silverlight 2Silverlight 2
Silverlight 2Dave Bost
 
Wso2 esb-maintenance-guide
Wso2 esb-maintenance-guideWso2 esb-maintenance-guide
Wso2 esb-maintenance-guideChanaka Fernando
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen
 

Tendances (20)

Http Proxy Server
Http Proxy ServerHttp Proxy Server
Http Proxy Server
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy server
 
Proxy Presentation
Proxy PresentationProxy Presentation
Proxy Presentation
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.ppt
 
Proxy server
Proxy serverProxy server
Proxy server
 
Firewall with proxy server.
Firewall with proxy server.Firewall with proxy server.
Firewall with proxy server.
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01
 
Proxy server
Proxy serverProxy server
Proxy server
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access Protocol
 
Web Proxy Server
Web Proxy ServerWeb Proxy Server
Web Proxy Server
 
Cc proxy
Cc proxyCc proxy
Cc proxy
 
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy Server
 
Proxy
ProxyProxy
Proxy
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Silverlight 2
Silverlight 2Silverlight 2
Silverlight 2
 
Wso2 esb-maintenance-guide
Wso2 esb-maintenance-guideWso2 esb-maintenance-guide
Wso2 esb-maintenance-guide
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax Push
 

Similaire à Lemonldap::NG, open-source Web-SSO of the french administrations

[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Truong Minh Yen
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Free NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings rightFree NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings rightManageEngine, Zoho Corporation
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightManageEngine, Zoho Corporation
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffNETWAYS
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...ManageEngine, Zoho Corporation
 
OpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdfOpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdfssusera181ef
 
amrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdfamrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdfamrapalibuildersreviews
 
The missing signalling layer for WebRTC
The missing signalling layer for WebRTCThe missing signalling layer for WebRTC
The missing signalling layer for WebRTCWebRTCConferenceJapan
 
RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie Perez RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie PerezEduserv
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress ControllerJulien Pivotto
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalPacSecJP
 
Ce hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologiesCe hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologiesVi Tính Hoàng Nam
 
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...mfrancis
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect ProtocolClément OUDOT
 

Similaire à Lemonldap::NG, open-source Web-SSO of the french administrations (20)

[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Free NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings rightFree NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings right
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings right
 
From Data Push to WebSockets
From Data Push to WebSocketsFrom Data Push to WebSockets
From Data Push to WebSockets
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
 
OpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdfOpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdf
 
amrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdfamrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdf
 
The missing signalling layer for WebRTC
The missing signalling layer for WebRTCThe missing signalling layer for WebRTC
The missing signalling layer for WebRTC
 
RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie Perez RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie Perez
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -final
 
Ce hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologiesCe hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologies
 
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 

Dernier

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Dernier (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

Lemonldap::NG, open-source Web-SSO of the french administrations

  • 1. Open-Source Web-SSO of the french administrations
  • 2. What is « Gendarmerie Nationale » 4300 agencies ● (300 overseas) 105000 users ● 1 private network ● connecting all agencies 2 datacenters ●
  • 3. What is Lemonldap::NG A powerful distributed Web-SSO system : ● an assembly of well tested open-source libraries ● based on ModPerl API to run inside Apache ● It centrally manages authentication, user's ● attributes propagation and access control It includes a sophisticated access rights ● management
  • 4. History of the project 2002 : First Web-SSO launched on the Gendarmerie's network ● 2003 : Lemonldap developed by the Ministry of finance ● 2004 : Studies to replace existing Gendarmerie's Web-SSO ● 2005 : Lemonldap::NG developped and deployed by ● Gendarmerie 2006 : Lemonldap::NG is chosen by Feder-Id project to ● become a Liberty-Alliance Service Provider 2009 : Gendarmerie is funding the SAML-2 extension ●
  • 5. Lemonldap::NG on the Gendarmerie's network 105.000 users ● average of 40,000 sessions at the same time ● about 100 protected applications (98% of the whole) ● among which : all specific applications (J2EE and PHP) ● SAP ● Fudforum ● Mediawiki ● Sympa management interface ● Nagios (all applications based on Apache htaccess) ● ... ●
  • 7. Double cookie Separated protection for HTTP and HTTPS ● connections, so that less secured applications don't weaken the other ones POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
  • 8. Internet authentication « Proxy-Cookie » enables the Single-Sign-On ● to control the access to Internet POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
  • 10. Performances Overhead of 3ms per hit ● Average of 40.000 sessions at the same time ● servers can check more than 3000 queries by ● minutes without any slowdown
  • 12. Development environment Principles : ● developers must have a valid account (the « real ● user's account ») they can choose any other account (the « spoofed ● user's account ») to test access control accounting and access rules involve both spoofed ● user's and real user's attributes
  • 14. Session Explorer Accounting is done with both identities (spoofed user's / real user's)
  • 15. Sharing authentication with remote applications Extending the core environment with additional ● features to enable sharing of authentication with remote applications : only a short list of attributes is exported to remote ● applications
  • 17. Client-Server over HTTP Lemonldap::NG provides 2 ways to control ● access from non-browser clients : SOAP authentication : the client gets a cookie with ● a SOAP request, then uses the cookie as a normal browser HTTP Auth-Basic authentication : the application is ● protected by an agent (handler) which requests the portal by SOAP using user/password transmitted by the client (by Auth-Basic mechanism) : authorization still uses Lemonldap::NG rules –
  • 18. Conclusion Cost of the project (for the Gendarmerie) : ● 4 servers ● 4 months of work for 1 developper ● Result : ● a flexible and suitable solution ●