SlideShare una empresa de Scribd logo

Lemonldap::NG, open-source Web-SSO of the french administrations

X
xguimard

Feedback and use cases of Lemonldap::NG

Tecnología
1 de 19
Descargar para leer sin conexión
Open-Source Web-SSO of the french administrations
What is « Gendarmerie Nationale » 4300 agencies ● (300 overseas) 105000 users ● 1 private network ● connecting all agencies 2 datacenters ●
What is Lemonldap::NG A powerful distributed Web-SSO system : ● an assembly of well tested open-source libraries ● based on ModPerl API to run inside Apache ● It centrally manages authentication, user's ● attributes propagation and access control It includes a sophisticated access rights ● management
History of the project 2002 : First Web-SSO launched on the Gendarmerie's network ● 2003 : Lemonldap developed by the Ministry of finance ● 2004 : Studies to replace existing Gendarmerie's Web-SSO ● 2005 : Lemonldap::NG developped and deployed by ● Gendarmerie 2006 : Lemonldap::NG is chosen by Feder-Id project to ● become a Liberty-Alliance Service Provider 2009 : Gendarmerie is funding the SAML-2 extension ●
Lemonldap::NG on the Gendarmerie's network 105.000 users ● average of 40,000 sessions at the same time ● about 100 protected applications (98% of the whole) ● among which : all specific applications (J2EE and PHP) ● SAP ● Fudforum ● Mediawiki ● Sympa management interface ● Nagios (all applications based on Apache htaccess) ● ... ●
Feedback and use cases
Double cookie Separated protection for HTTP and HTTPS ● connections, so that less secured applications don't weaken the other ones POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
Internet authentication « Proxy-Cookie » enables the Single-Sign-On ● to control the access to Internet POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
Internet authentication
Performances Overhead of 3ms per hit ● Average of 40.000 sessions at the same time ● servers can check more than 3000 queries by ● minutes without any slowdown
Session Explorer
Development environment Principles : ● developers must have a valid account (the « real ● user's account ») they can choose any other account (the « spoofed ● user's account ») to test access control accounting and access rules involve both spoofed ● user's and real user's attributes
Login form
Session Explorer Accounting is done with both identities (spoofed user's / real user's)
Sharing authentication with remote applications Extending the core environment with additional ● features to enable sharing of authentication with remote applications : only a short list of attributes is exported to remote ● applications
Principles
Client-Server over HTTP Lemonldap::NG provides 2 ways to control ● access from non-browser clients : SOAP authentication : the client gets a cookie with ● a SOAP request, then uses the cookie as a normal browser HTTP Auth-Basic authentication : the application is ● protected by an agent (handler) which requests the portal by SOAP using user/password transmitted by the client (by Auth-Basic mechanism) : authorization still uses Lemonldap::NG rules –
Conclusion Cost of the project (for the Gendarmerie) : ● 4 servers ● 4 months of work for 1 developper ● Result : ● a flexible and suitable solution ●
Any questions ?

Recomendados

WebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGWebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGClément OUDOT
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectClément OUDOT
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server WorksMer Joyce
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Reverse proxy
Reverse proxyReverse proxy
Reverse proxyProxies Rent
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 

Recomendados

WebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGWebSSO and Access Management with LemonLDAP::NG
WebSSO and Access Management with LemonLDAP::NGClément OUDOT
 
LDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectLDAPCon 2011 - The LemonLDAP::NG Project
LDAPCon 2011 - The LemonLDAP::NG ProjectClément OUDOT
 
Introduction to Perl Net::LDAP
Introduction to Perl Net::LDAPIntroduction to Perl Net::LDAP
Introduction to Perl Net::LDAPClément OUDOT
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
How a Proxy Server Works
How a Proxy Server WorksHow a Proxy Server Works
How a Proxy Server WorksMer Joyce
 
seminar on proxyserver
seminar on proxyserverseminar on proxyserver
seminar on proxyserverNiraj Barnwal
 
Reverse proxy
Reverse proxyReverse proxy
Reverse proxyProxies Rent
 
How to set up a proxy server on windows
How to set up a proxy server on windows How to set up a proxy server on windows
How to set up a proxy server on windows codeandyou forums
 
Http Proxy Server
Http Proxy ServerHttp Proxy Server
Http Proxy ServerSourav Roy
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy servergreatbury
 
Proxy Presentation
Proxy PresentationProxy Presentation
Proxy Presentationprimeteacher32
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptAnitha Selvan
 
Proxy server
Proxy serverProxy server
Proxy serverProxies Rent
 
Firewall with proxy server.
Firewall with proxy server.Firewall with proxy server.
Firewall with proxy server.stableproxies
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 
Proxy server
Proxy serverProxy server
Proxy serverDlovan Salih
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Pablo Monterde Perez
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolMasud Rahman
 
Web Proxy Server
Web Proxy ServerWeb Proxy Server
Web Proxy ServerMohit Dhankher
 
Cc proxy
Cc proxyCc proxy
Cc proxyTrường Tiền
 
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)Dave Bost
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy ServerLakshyaArora12
 
Proxy
ProxyProxy
ProxyTriad Square InfoSec
 
Proxy Servers
Proxy ServersProxy Servers
Proxy ServersSourav Roy
 
Silverlight 2
Silverlight 2Silverlight 2
Silverlight 2Dave Bost
 
Wso2 esb-maintenance-guide
Wso2 esb-maintenance-guideWso2 esb-maintenance-guide
Wso2 esb-maintenance-guideChanaka Fernando
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen
 
[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 

Más contenido relacionado

La actualidad más candente

Http Proxy Server
Http Proxy ServerHttp Proxy Server
Http Proxy ServerSourav Roy
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy servergreatbury
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptAnitha Selvan
 
Firewall with proxy server.
Firewall with proxy server.Firewall with proxy server.
Firewall with proxy server.stableproxies
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Maisha Price
 
Proxy servers
Proxy serversProxy servers
Proxy serversKumar
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Pablo Monterde Perez
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolMasud Rahman
 
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)Dave Bost
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy ServerLakshyaArora12
 
Silverlight 2
Silverlight 2Silverlight 2
Silverlight 2Dave Bost
 
Wso2 esb-maintenance-guide
Wso2 esb-maintenance-guideWso2 esb-maintenance-guide
Wso2 esb-maintenance-guideChanaka Fernando
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDoris Chen
 

La actualidad más candente (20)

Http Proxy Server
Http Proxy ServerHttp Proxy Server
Http Proxy Server
 
Advantages of proxy server
Advantages of proxy serverAdvantages of proxy server
Advantages of proxy server
 
Proxy Presentation
Proxy PresentationProxy Presentation
Proxy Presentation
 
Group18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.pptGroup18_Awesome4some:Proxy server.ppt
Group18_Awesome4some:Proxy server.ppt
 
Proxy server
Proxy serverProxy server
Proxy server
 
Firewall with proxy server.
Firewall with proxy server.Firewall with proxy server.
Firewall with proxy server.
 
Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01Introductiontowebarchitecture 090922221506-phpapp01
Introductiontowebarchitecture 090922221506-phpapp01
 
Proxy server
Proxy serverProxy server
Proxy server
 
Proxy servers
Proxy serversProxy servers
Proxy servers
 
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...Real-time applications with sockets and websockets. Introduction to Smartfoxs...
Real-time applications with sockets and websockets. Introduction to Smartfoxs...
 
SOAP--Simple Object Access Protocol
SOAP--Simple Object Access ProtocolSOAP--Simple Object Access Protocol
SOAP--Simple Object Access Protocol
 
Web Proxy Server
Web Proxy ServerWeb Proxy Server
Web Proxy Server
 
Cc proxy
Cc proxyCc proxy
Cc proxy
 
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
ASP.NET 3.5 SP1 (VSLive San Francisco 2009)
 
Firewall & Proxy Server
Firewall & Proxy ServerFirewall & Proxy Server
Firewall & Proxy Server
 
Proxy
ProxyProxy
Proxy
 
Proxy Servers
Proxy ServersProxy Servers
Proxy Servers
 
Silverlight 2
Silverlight 2Silverlight 2
Silverlight 2
 
Wso2 esb-maintenance-guide
Wso2 esb-maintenance-guideWso2 esb-maintenance-guide
Wso2 esb-maintenance-guide
 
Developing Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax PushDeveloping Revolutionary Web Applications using Comet and Ajax Push
Developing Revolutionary Web Applications using Comet and Ajax Push
 

Similar a Lemonldap::NG, open-source Web-SSO of the french administrations

[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect ProtocolClément OUDOT
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.pptAssadLeo1
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Truong Minh Yen
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...SBWebinars
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...Eric Vanderburg
 
Free NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings rightFree NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings rightManageEngine, Zoho Corporation
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightManageEngine, Zoho Corporation
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffNETWAYS
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...ManageEngine, Zoho Corporation
 
OpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdfOpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdfssusera181ef
 
amrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdfamrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdfamrapalibuildersreviews
 
The missing signalling layer for WebRTC
The missing signalling layer for WebRTCThe missing signalling layer for WebRTC
The missing signalling layer for WebRTCWebRTCConferenceJapan
 
RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie Perez RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie PerezEduserv
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress ControllerJulien Pivotto
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalPacSecJP
 
Ce hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologiesCe hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologiesVi Tính Hoàng Nam
 
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...mfrancis
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect ProtocolClément OUDOT
 

Similar a Lemonldap::NG, open-source Web-SSO of the french administrations (20)

[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol[LDAPCon 2015] The OpenID Connect Protocol
[LDAPCon 2015] The OpenID Connect Protocol
 
network-management Web base.ppt
network-management Web base.pptnetwork-management Web base.ppt
network-management Web base.ppt
 
Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3Comodo my dlp_techpresentation_060615_v3
Comodo my dlp_techpresentation_060615_v3
 
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
Don’t Get Stuck in The Encryption Stone Age: Get Decrypted Visibility with Am...
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
 
Free NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings rightFree NetFlow Analyzer training - Getting the initial settings right
Free NetFlow Analyzer training - Getting the initial settings right
 
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
SFScon 2020 - Alex Lanz Martin Malfertheiner - OAuth2 OpenID
 
NetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings rightNetFlow Analyzer Training Part I: Getting the initial settings right
NetFlow Analyzer Training Part I: Getting the initial settings right
 
From Data Push to WebSockets
From Data Push to WebSocketsFrom Data Push to WebSockets
From Data Push to WebSockets
 
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael SchwartzkopffOSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
OSMC 2009 | net-snmp: The forgotten classic by Dr. Michael Schwartzkopff
 
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...Export flows, group traffic, map application traffic and more: NetFlow Analyz...
Export flows, group traffic, map application traffic and more: NetFlow Analyz...
 
OpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdfOpManager-Overview-30-9-14.pdf
OpManager-Overview-30-9-14.pdf
 
amrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdfamrapali builders@@@hacking d link routers with hnap.pdf
amrapali builders@@@hacking d link routers with hnap.pdf
 
The missing signalling layer for WebRTC
The missing signalling layer for WebRTCThe missing signalling layer for WebRTC
The missing signalling layer for WebRTC
 
RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie Perez RedIRIS Identity Service latest news and developments - Jamie Perez
RedIRIS Identity Service latest news and developments - Jamie Perez
 
HAProxy as Egress Controller
HAProxy as Egress ControllerHAProxy as Egress Controller
HAProxy as Egress Controller
 
Martin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -finalMartin Zeiser, Universal Pwn n Play - pacsec -final
Martin Zeiser, Universal Pwn n Play - pacsec -final
 
Ce hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologiesCe hv6 module 54 proxy server technologies
Ce hv6 module 54 proxy server technologies
 
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
Open Management Using OSGi Technology Enabled Services - Stéphane Frénot, Ass...
 
[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol[OSSParis 2015] The OpenID Connect Protocol
[OSSParis 2015] The OpenID Connect Protocol
 

Último

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 

Último (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 

Lemonldap::NG, open-source Web-SSO of the french administrations

  • 1. Open-Source Web-SSO of the french administrations
  • 2. What is « Gendarmerie Nationale » 4300 agencies ● (300 overseas) 105000 users ● 1 private network ● connecting all agencies 2 datacenters ●
  • 3. What is Lemonldap::NG A powerful distributed Web-SSO system : ● an assembly of well tested open-source libraries ● based on ModPerl API to run inside Apache ● It centrally manages authentication, user's ● attributes propagation and access control It includes a sophisticated access rights ● management
  • 4. History of the project 2002 : First Web-SSO launched on the Gendarmerie's network ● 2003 : Lemonldap developed by the Ministry of finance ● 2004 : Studies to replace existing Gendarmerie's Web-SSO ● 2005 : Lemonldap::NG developped and deployed by ● Gendarmerie 2006 : Lemonldap::NG is chosen by Feder-Id project to ● become a Liberty-Alliance Service Provider 2009 : Gendarmerie is funding the SAML-2 extension ●
  • 5. Lemonldap::NG on the Gendarmerie's network 105.000 users ● average of 40,000 sessions at the same time ● about 100 protected applications (98% of the whole) ● among which : all specific applications (J2EE and PHP) ● SAP ● Fudforum ● Mediawiki ● Sympa management interface ● Nagios (all applications based on Apache htaccess) ● ... ●
  • 7. Double cookie Separated protection for HTTP and HTTPS ● connections, so that less secured applications don't weaken the other ones POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
  • 8. Internet authentication « Proxy-Cookie » enables the Single-Sign-On ● to control the access to Internet POST / HTTP/1.1 Host: authentification.gendarmerie.fr HTTP/1.x 200 OK Date: Tue, 24 Mar 2009 14:18:08 GMT Server: Apache Set­Proxy­Cookie: lmproxy=4c640e7ff9450bd3cc65c069f3fa920e;                    domain=gendarmerie.fr; path=/ Set­Cookie: lemonldap=d8a6a10a88bcfcdddd4906ad55119ad2;                    domain=gendarmerie.fr; path=/; secure Set­Cookie: lemonldaphttp=ae92a75d4c15dd3d5eae40ce386594e7;                    domain=gendarmerie.fr; path=/ ...
  • 10. Performances Overhead of 3ms per hit ● Average of 40.000 sessions at the same time ● servers can check more than 3000 queries by ● minutes without any slowdown
  • 12. Development environment Principles : ● developers must have a valid account (the « real ● user's account ») they can choose any other account (the « spoofed ● user's account ») to test access control accounting and access rules involve both spoofed ● user's and real user's attributes
  • 14. Session Explorer Accounting is done with both identities (spoofed user's / real user's)
  • 15. Sharing authentication with remote applications Extending the core environment with additional ● features to enable sharing of authentication with remote applications : only a short list of attributes is exported to remote ● applications
  • 17. Client-Server over HTTP Lemonldap::NG provides 2 ways to control ● access from non-browser clients : SOAP authentication : the client gets a cookie with ● a SOAP request, then uses the cookie as a normal browser HTTP Auth-Basic authentication : the application is ● protected by an agent (handler) which requests the portal by SOAP using user/password transmitted by the client (by Auth-Basic mechanism) : authorization still uses Lemonldap::NG rules –
  • 18. Conclusion Cost of the project (for the Gendarmerie) : ● 4 servers ● 4 months of work for 1 developper ● Result : ● a flexible and suitable solution ●