SlideShare une entreprise Scribd logo

[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG

Worteks
Worteks

MicroServices authentication and authorization with LemonLDAP::NG

Technologie
1  sur  31
Télécharger pour lire hors ligne
MicroServices authentication and authorization with LemonLDAP::NG Clément OUDOT – Identity Solutions Manager clement.oudot@worteks.com
2 (v .t ks)ɔʁ ɛ Services Heterogeneous and complex infrastructures, cloud, mail, authentication, security  Studies, audit and consulting  Technical expertise  Technical support  Training  R&D Edition Collaboration and application portal Mutualized platform for development Identity and Access Management Partnership
3 Single Sign On
4 Imagine SSOng Imagine there are no passwords Or maybe just only one A single secured form To access our applications Imagine all the users Loving security Imagine applications No more storing passwords Relying on a token Even for authorizations Imagine all developers Loving security Imagine some protocols Made by clever people CAS, OpenID or SAML Even WS Federation Imagine authentication Interoperability You may say I'm a hacker But I'm not the only one I hope one day You will log in Using the Single Sign On © John Lennon
5 Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token SSO workflow
6 Y O L O You Only Log Once
7 LemonLDAP::NG Software
8 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
9 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
10 Login page
11 Portal with application menu
12 Web Administration interface
13 Command Line Interface
14 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 and 2018 ● SSO component of FusionIAM project: https://fusioniam.org/
15 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
16 Web application protection with Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
17 Identity Federation
12/06/19 18 Main features ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
12/06/19 19 CAS CAS client CAS server First access Redirection for authentication Service TicketService Ticket Service ticket validation Access to identity
12/06/19 20 SAML Service Provider (SP) Identity Provider (IDP) First access IDP choice Authentication request Authentication responseAuthentication response Signature verification Read assertion
12/06/19 21 OpenID Connect Relying Party (RP) OpenID Provider (OP) First access OP choice Authentication request JWT JWT Signature verification Read JWT Get UserInfo
22 API / WebService protection
12/06/19 23 How to protect a WebService ● Global authentication: – HTTP Basic – SSL client certificate ● User oriented authentication?
12/06/19 24 LL::NG ServiceToken Handler ● New Handler "Service Token" installed between application and WebService ● Main Handler generates a token based on time session_id and virtual hosts: cipher(time, session_id, vhost_list) ● The token is sent by application to WebService ● The Handler "Service Token" intercepts the token, validates it and apply access rules, and sent HTTP headers to WebService
12/06/19 25 LL::NG ServiceToken Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
12/06/19 26 Using OAuth2 ● When LL::NG acts as OIDC provider, it delivers an OAuth2 access token ● This access token can be validated with different operations: – Call /oauth2/userinfo, which will return user attributes – Call /oauth2/introspect, which will return token information (including the token owner) – see RFC 7662 – Use LL::NG OAuth2 Handler
12/06/19 27 LL::NG OAuth2 Handler Sessions Portal Web Application Authentication Session creation OIDC response Handler OAuth2 Web Service Access Token HTTP headers Session read ID Token Access Token
12/06/19 28 Example – UserInfo Endpoint $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/userinfo | json_pp {   "family_name" : "OUDOT",   "name" : "Clément OUDOT",   "email" : "clement@oodo.net",   "sub" : "coudot" }
12/06/19 29 Example – Intropsection Endpoint $ curl -k -H "Authorization: Basic bGVtb25sZGFwOnNlY3JldA==" -X POST -d "token=a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/introspect | json_pp { "client_id" : "lemonldap", "sub" : "coudot", "exp" : 1572446485, "active" : true, "scope" : "openid profile address email phone" }
12/06/19 30 Example – Oauth2 Handler $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://oauth2.openid.club/api.pl { "check" : "true", "user" : "coudot" }
31 Thanks for your attention More informations: info@worteks.com @worteks_com linkedin.com/company/worteks

Recommandé

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
Calvin Cheng
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 

Recommandé

CIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID ConnectCIS14: Working with OAuth and OpenID Connect
CIS14: Working with OAuth and OpenID Connect
CloudIDSummit
 
Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0Protecting web APIs with OAuth 2.0
Protecting web APIs with OAuth 2.0
Vladimir Dzhuvinov
 
OpenID Connect: An Overview
OpenID Connect: An OverviewOpenID Connect: An Overview
OpenID Connect: An Overview
Pat Patterson
 
OAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId ConnectOAuth 2.0 and OpenId Connect
OAuth 2.0 and OpenId Connect
Saran Doraiswamy
 
Full stack security
Full stack securityFull stack security
Full stack security
DPC Consulting Ltd
 
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/SovrinFOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
FOSSASIA 2018 Self-Sovereign Identity with Hyperledger Indy/Sovrin
Calvin Cheng
 
Understanding OpenID
Understanding OpenIDUnderstanding OpenID
Understanding OpenID
Prabath Siriwardena
 
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + CordaCordacon 2018 - Cordentity - Hyperledger Indy + Corda
Cordacon 2018 - Cordentity - Hyperledger Indy + Corda
Vasiliy Suvorov
 
SSL Certificate: Stamp of Web Security
SSL Certificate: Stamp of Web SecuritySSL Certificate: Stamp of Web Security
SSL Certificate: Stamp of Web Security
HTS Hosting
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
Mike Schwartz
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
Vasiliy Suvorov
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
Oliver Pfaff
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
Vladimir Bychkov
 
SSL Certificate and Code Signing
SSL Certificate and Code SigningSSL Certificate and Code Signing
SSL Certificate and Code Signing
Li-Wei Yao
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
Torsten Lodderstedt
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
Justin Richer
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
Torsten Lodderstedt
 
Masterclass on the DID Universal Resolver
Masterclass on the DID Universal ResolverMasterclass on the DID Universal Resolver
Masterclass on the DID Universal Resolver
Markus Sabadello
 
Technologies for Self-Sovereign Identity
Technologies for Self-Sovereign IdentityTechnologies for Self-Sovereign Identity
Technologies for Self-Sovereign Identity
Markus Sabadello
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
Markus Sabadello
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
VMware Tanzu
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
WSO2
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
FIDO Alliance
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Gokul Alex
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
Salesforce Developers
 
6 Key Blockchain Features You Need to Know Now
6 Key Blockchain Features You Need to Know Now6 Key Blockchain Features You Need to Know Now
6 Key Blockchain Features You Need to Know Now
101 Blockchains
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
Eugene Siow
 
Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
Sylvain Maret
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
Synacts
 

Contenu connexe

Tendances

OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
Salesforce Developers
 
6 Key Blockchain Features You Need to Know Now
6 Key Blockchain Features You Need to Know Now6 Key Blockchain Features You Need to Know Now
6 Key Blockchain Features You Need to Know Now
101 Blockchains
 

Tendances (20)

SSL Certificate: Stamp of Web Security
SSL Certificate: Stamp of Web SecuritySSL Certificate: Stamp of Web Security
SSL Certificate: Stamp of Web Security
 
OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2OpenID Connect vs. OpenID 1 & 2
OpenID Connect vs. OpenID 1 & 2
 
Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs Verifiable Credentials, Self Sovereign Identity and DLTs
Verifiable Credentials, Self Sovereign Identity and DLTs
 
OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?OpenID Connect - An Emperor or Just New Cloths?
OpenID Connect - An Emperor or Just New Cloths?
 
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
2019 - Tech Talk DC - Token-based security for web applications using OAuth2 ...
 
SSL Certificate and Code Signing
SSL Certificate and Code SigningSSL Certificate and Code Signing
SSL Certificate and Code Signing
 
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...OpenID Connect: The new standard for connecting to your Customers, Partners, ...
OpenID Connect: The new standard for connecting to your Customers, Partners, ...
 
OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)OpenID Connect 4 SSI (at EIC 2021)
OpenID Connect 4 SSI (at EIC 2021)
 
Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2Mit 2014 introduction to open id connect and o-auth 2
Mit 2014 introduction to open id connect and o-auth 2
 
OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)OpenID Connect 4 SSI (DIFCon F2F)
OpenID Connect 4 SSI (DIFCon F2F)
 
Masterclass on the DID Universal Resolver
Masterclass on the DID Universal ResolverMasterclass on the DID Universal Resolver
Masterclass on the DID Universal Resolver
 
Technologies for Self-Sovereign Identity
Technologies for Self-Sovereign IdentityTechnologies for Self-Sovereign Identity
Technologies for Self-Sovereign Identity
 
Decentralized Identifiers
Decentralized IdentifiersDecentralized Identifiers
Decentralized Identifiers
 
An Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices WorldAn Authentication and Authorization Architecture for a Microservices World
An Authentication and Authorization Architecture for a Microservices World
 
Identity Management for Web Application Developers
Identity Management for Web Application DevelopersIdentity Management for Web Application Developers
Identity Management for Web Application Developers
 
FIDO2 Specifications Overview
FIDO2 Specifications OverviewFIDO2 Specifications Overview
FIDO2 Specifications Overview
 
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
Hyperledger Indy Platform - Privacy, Security and Power for Digital Identity ...
 
OpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for BeginnersOpenID Connect and Single Sign-On for Beginners
OpenID Connect and Single Sign-On for Beginners
 
6 Key Blockchain Features You Need to Know Now
6 Key Blockchain Features You Need to Know Now6 Key Blockchain Features You Need to Know Now
6 Key Blockchain Features You Need to Know Now
 
OpenID Connect 1.0 Explained
OpenID Connect 1.0 ExplainedOpenID Connect 1.0 Explained
OpenID Connect 1.0 Explained
 

Similaire à [POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG

JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
PROIDEA
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
David Waite
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
Brian Spector
 

Similaire à [POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG (20)

Authentication and strong authentication for Web Application
Authentication and strong authentication for Web ApplicationAuthentication and strong authentication for Web Application
Authentication and strong authentication for Web Application
 
Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04Digital ID Protocol - Presentation 2015-12-04
Digital ID Protocol - Presentation 2015-12-04
 
JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...JDD2015: Security in the era of modern applications and services - Bolesław D...
JDD2015: Security in the era of modern applications and services - Bolesław D...
 
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoftMuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
MuleSoft Surat Virtual Meetup#19 - Identity and Client Management With MuleSoft
 
WebRTC Identity in SAML Federations
WebRTC Identity in SAML FederationsWebRTC Identity in SAML Federations
WebRTC Identity in SAML Federations
 
Auth proxy pattern on Kubernetes
Auth proxy pattern on KubernetesAuth proxy pattern on Kubernetes
Auth proxy pattern on Kubernetes
 
Access management
Access managementAccess management
Access management
 
O auth2 with angular js
O auth2 with angular jsO auth2 with angular js
O auth2 with angular js
 
Identity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAMLIdentity and Client Management using OpenID Connect and SAML
Identity and Client Management using OpenID Connect and SAML
 
Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2Cartes Asia Dem 2010 V2
Cartes Asia Dem 2010 V2
 
OpenID Connect Explained
OpenID Connect ExplainedOpenID Connect Explained
OpenID Connect Explained
 
CIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John BradleyCIS 2015 Extreme OpenID Connect - John Bradley
CIS 2015 Extreme OpenID Connect - John Bradley
 
Codemash-2017
Codemash-2017Codemash-2017
Codemash-2017
 
Securing RESTful API
Securing RESTful APISecuring RESTful API
Securing RESTful API
 
[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black[WSO2Con EU 2018] Identity APIs is the New Black
[WSO2Con EU 2018] Identity APIs is the New Black
 
Openstack identity protocols unconference
Openstack identity protocols unconferenceOpenstack identity protocols unconference
Openstack identity protocols unconference
 
Presentation
PresentationPresentation
Presentation
 
Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016Apache Milagro Presentation at ApacheCon Europe 2016
Apache Milagro Presentation at ApacheCon Europe 2016
 
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
Hyperledger Fabric - Blockchain for the Enterprise - FOSDEM 20190203
 
Distributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdfDistributed Authorization with Open Policy Agent.pdf
Distributed Authorization with Open Policy Agent.pdf
 

Plus de Worteks

Plus de Worteks (20)

[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
 
[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
 
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
 
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
 
[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet
 
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
 
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
 
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
 
[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector
 
[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
 
[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative
 
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
 
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
[RedHat Forum 2019] REX - COMMENT MONTER UNE OFFRE DE CLOUD EN MARQUE BLANCHE...
 

Dernier

CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
giselly40
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
Delhi Call girls
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Dernier (20)

Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Evaluating the top large language models.pdf
Evaluating the top large language models.pdfEvaluating the top large language models.pdf
Evaluating the top large language models.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 

[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG

  • 1. MicroServices authentication and authorization with LemonLDAP::NG Clément OUDOT – Identity Solutions Manager clement.oudot@worteks.com
  • 2. 2 (v .t ks)ɔʁ ɛ Services Heterogeneous and complex infrastructures, cloud, mail, authentication, security  Studies, audit and consulting  Technical expertise  Technical support  Training  R&D Edition Collaboration and application portal Mutualized platform for development Identity and Access Management Partnership
  • 4. 4 Imagine SSOng Imagine there are no passwords Or maybe just only one A single secured form To access our applications Imagine all the users Loving security Imagine applications No more storing passwords Relying on a token Even for authorizations Imagine all developers Loving security Imagine some protocols Made by clever people CAS, OpenID or SAML Even WS Federation Imagine authentication Interoperability You may say I'm a hacker But I'm not the only one I hope one day You will log in Using the Single Sign On © John Lennon
  • 5. 5 Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token SSO workflow
  • 6. 6 Y O L O You Only Log Once
  • 8. 8 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
  • 9. 9 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
  • 14. 14 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 and 2018 ● SSO component of FusionIAM project: https://fusioniam.org/
  • 15. 15 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
  • 16. 16 Web application protection with Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
  • 18. 12/06/19 18 Main features ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
  • 19. 12/06/19 19 CAS CAS client CAS server First access Redirection for authentication Service TicketService Ticket Service ticket validation Access to identity
  • 20. 12/06/19 20 SAML Service Provider (SP) Identity Provider (IDP) First access IDP choice Authentication request Authentication responseAuthentication response Signature verification Read assertion
  • 21. 12/06/19 21 OpenID Connect Relying Party (RP) OpenID Provider (OP) First access OP choice Authentication request JWT JWT Signature verification Read JWT Get UserInfo
  • 22. 22 API / WebService protection
  • 23. 12/06/19 23 How to protect a WebService ● Global authentication: – HTTP Basic – SSL client certificate ● User oriented authentication?
  • 24. 12/06/19 24 LL::NG ServiceToken Handler ● New Handler "Service Token" installed between application and WebService ● Main Handler generates a token based on time session_id and virtual hosts: cipher(time, session_id, vhost_list) ● The token is sent by application to WebService ● The Handler "Service Token" intercepts the token, validates it and apply access rules, and sent HTTP headers to WebService
  • 25. 12/06/19 25 LL::NG ServiceToken Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
  • 26. 12/06/19 26 Using OAuth2 ● When LL::NG acts as OIDC provider, it delivers an OAuth2 access token ● This access token can be validated with different operations: – Call /oauth2/userinfo, which will return user attributes – Call /oauth2/introspect, which will return token information (including the token owner) – see RFC 7662 – Use LL::NG OAuth2 Handler
  • 27. 12/06/19 27 LL::NG OAuth2 Handler Sessions Portal Web Application Authentication Session creation OIDC response Handler OAuth2 Web Service Access Token HTTP headers Session read ID Token Access Token
  • 28. 12/06/19 28 Example – UserInfo Endpoint $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/userinfo | json_pp {   "family_name" : "OUDOT",   "name" : "Clément OUDOT",   "email" : "clement@oodo.net",   "sub" : "coudot" }
  • 29. 12/06/19 29 Example – Intropsection Endpoint $ curl -k -H "Authorization: Basic bGVtb25sZGFwOnNlY3JldA==" -X POST -d "token=a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/introspect | json_pp { "client_id" : "lemonldap", "sub" : "coudot", "exp" : 1572446485, "active" : true, "scope" : "openid profile address email phone" }
  • 30. 12/06/19 30 Example – Oauth2 Handler $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://oauth2.openid.club/api.pl { "check" : "true", "user" : "coudot" }
  • 31. 31 Thanks for your attention More informations: info@worteks.com @worteks_com linkedin.com/company/worteks