SlideShare una empresa de Scribd logo

[OW2con19] LemonLDAP::NG success stories

Worteks
Worteks

Presentation of LemonLDAP::NG and how it is used by Gendarmerie Nationale and Orange

Tecnología
1 de 41
Descargar para leer sin conexión
LEMONLDAP::NG SUCCESS STORIES
12/06/2019 2 LemonLDAP::NG Software
12/06/2019 3 SSO Workflow Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token
12/06/2019 4 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
12/06/2019 5 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
12/06/2019 6 Login page
12/06/2019 7 Portal with application menu
12/06/2019 8 Web Administration interface
12/06/2019 9 Command Line Interface
12/06/2019 10 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 ● SSO component of FusionIAM project: https://fusioniam.org/
12/06/2019 11 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
12/06/2019 12 Web application Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
12/06/2019 13 CAS, SAML and OpenID Connect ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
12/06/2019 14 Second Factor Authentication (2FA) ● LemonLDAP::NG can use the following 2FA: ● TOTP ● U2F ● TOTP or U2F ● Mail ● External ● REST ● Yubikey
12/06/2019 15 DevOps (SSO as a Service) Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers rules .json Access rules Exported headers
12/06/2019 16 API – Service Token Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
12/06/2019 17 OpenID Connect / OAuth2 Sessions Portal Handler Web Application Authentication Session creation Session read OAuth2 Access Token HTTP headers
12/06/2019 18 RENATER / eduGAIN ● Support of RENATER / eduGAIN via SAML2: ● Service Provider ● Identity Provider ● Call to Identity Provider selection page (WAYF) via SAML Discovery Protocol ● Metadata bulk import script
12/06/2019 19 Plugin engine ● Portal code was fully rewritten, and it now allows to write plugins ● Plugin examples, provided by default: ● Auto Signin: direct authentication for some IP ● Brute Force: protect against brute-force attacks ● Stay Connected: "remember me" button ● Public Pages: create static pages using portal skin ● Impersonation: take the identity of another user ● Write a custom plugin: https://lemonldap-ng.org/documentation/latest/plugincustom
12/06/2019 20 The beginning of the journey
12/06/2019 2105/06/2019 Orange is a complex environment… With many people and kind of skills With thousands applications In a full motion environment
12/06/2019 22 Orange is a complex environment in complex world… § Orange made or bought. § Including SSO compatibility or not. § Accessible from Internet or Intranet. § Security access level specific for each. § Each application has its own livecyle. § Our users want the same quality on work tools than on the personnal offer on Internet. § Rise of « fashion tool ». Long time parthnerships § Orange people § Contractors § Partners § Universities On demand relationships § Freelances with few days contracts With many people and kind of skills With thousands applications In a full motion environment
12/06/2019 23 …With the constraints and needs than others… Manage all identification / authentication cases Manage all identification / authentication cases Allow access from different contexts Allow access from different contexts Keep things as transparent as possible for users Keep things as transparent as possible for users Manage all kinds of users Manage all kinds of users Provide many types of protocols Provide many types of protocols Guaranty high security level Guaranty high security level Flexible to support futur Flexible to support futur Guaranty a high availability level Guaranty a high availability level Keep It Complex Stupid Keep It Complex Stupid Simple Have a single system to authenticate users Have a single system to authenticate users
12/06/2019 24 …So we are building a scalable LemonLDAP::NG infrastructure… ConfigConfig SessionsSessions ConfigConfig SessionsSessions Kerber os Kerber os 11 then if user come from internal SAML A P P L I C A T I O N S A P P L I C A T I O N S E X T E R N A L E X T E R N A L I N T E R N A L I N T E R N A L HA int HA int Lemon int 1 Lemon int 1 Lemon int 2 Lemon int 2 HA ext HA ext Lemon ext 1 Lemon ext 1 Lemon ext 2 Lemon ext 2 OidCOidC 22 REST  LDAP REST  LDAP 33 LDAPLDAP 44 External accounts External accounts Orange accounts Orange accounts
12/06/2019 25 ...And we are at the beginning of the journey... We have tested LemonLdap in real conditions on many applications used by innovation people:
12/06/2019 26 …Under industrialisation by a specialized team. Another team to « build » Another team to « build » First team to « think » First team to « think » - Test LemonLdap and try to get its limits - Test the potential architectures - Test intégration with about 20 applications (gitlab, nextcloud, jira & confluence, Dokuwiki, Apache 2, Flexible Engine, Grafana, WebCom, WordPress, OpenStack…). - Test authentication protocols and ways (OTP, …) - Test LemonLdap and try to get its limits - Test the potential architectures - Test intégration with about 20 applications (gitlab, nextcloud, jira & confluence, Dokuwiki, Apache 2, Flexible Engine, Grafana, WebCom, WordPress, OpenStack…). - Test authentication protocols and ways (OTP, …) - Get the results of the previous level to create an « industrial solution » able to support millions people. - Get the results of the previous level to create an « industrial solution » able to support millions people. Final team to« Run » Final team to« Run »
12/06/2019 27 Orange-Worteks Partnership ● Worteks offers a framework contract for support around LemonLDAP::NG and other free softwares, with two parts: ● Incident management: a ticket can be opened to solve any fault on a production or development system (business hours) ● Evolutions: a request can be done to fix bugs or code new features in the software ● Any Orange Business Unit can request a contract, prices are already defined ● It can then contribute to LemonLDAP::NG roadmap by requesting evolutions
12/06/2019 2805/06/2019 28 Thanks to all the contributors Thank you to all the contributors to this project, for their competence, their good humor and their motivation that are overcoming all the problems that veinly tried to stand up against us: ● The LemonLDAP::NG Team (Clément, Xavier and all the others). ● Worteks for the support. ● Orange internal contributors : Christian P., Laurence T. , Daniel V., David M., Ronan H.B., Aurelien P., Alexandre L., Jean-Louis F. ● All others success keys in this project:
12/06/2019 29 Gendarmerie Nationale ST(SI)²
12/06/2019 30 History ● 2002: First WebSSO GN (SiteMinder) ● Licencing cost : 90 k€/year for 5000 users (target ~1 M€/year) → Take LemonLDAP over from the Ministry of finance ● 2005: Development of LL::NG (fork), SSO now used by (almost) all civil services
12/06/2019 31 Budget ● Project build (excluding machine cost) : ● Between 2005 and 2015: ~ 150 k€ ● 2015 : 100 K€ ● 2016 & 2017: 0 € ● 2018 : 25 k€ ● 2019 : 0 €
12/06/2019 32 Technical team for all ST(SI) SSO² ● X. Guimard : Lead developer LL::NG ● S. Marcq : Project manager ● A. Rosier & C.Maudoux : developers and administrators
12/06/2019 33 Platforms ● Proxyma → GN ● CheopsNG → PN ● PSI → SP (SAML with interior security services) ● Judiweb → SP RIE (government network) ● Curasso & Espresso → internet SSO ● SAML with 12 civil services
12/06/2019 34 Proxyma : SSO GN ● ~ 22 millions requests / day ● ~ 65 000 unique users / day ● 253 different applications used / day ● 12 reverse proxies ● 7 LDAP servers ● 4 portals
12/06/2019 35 Top 10 connection’s peak during 10 min
12/06/2019 36 Top 10 event’s peak during 10 min
12/06/2019 37 Top 10 unique user’s peak during 10 min
12/06/2019 38 Unique users / month
12/06/2019 39 « good authentification » / month
12/06/2019 40 2019/2020 Evolution ● Upgrade all platform → LL::NG 2.0 ● Connect Agent implementation ● 2FA implementation ● Cloud : SSO as a service (handler devops + scalability)
4141 THANKS Pour plus d’informations : info@worteks.com @worteks_com linkedin.com/company/worteks

Recomendados

Micro Frontends Architecture - Jitendra kumawat (Guavus)
Micro Frontends Architecture - Jitendra kumawat (Guavus)Micro Frontends Architecture - Jitendra kumawat (Guavus)
Micro Frontends Architecture - Jitendra kumawat (Guavus)
Tech Triveni
 
Building a Browser for Automotive: Alternatives, Challenges and Recommendations
Building a Browser for Automotive: Alternatives, Challenges and RecommendationsBuilding a Browser for Automotive: Alternatives, Challenges and Recommendations
Building a Browser for Automotive: Alternatives, Challenges and Recommendations
juanjosanchezpenas
 
webthing-iotjs-20181027rzr
webthing-iotjs-20181027rzrwebthing-iotjs-20181027rzr
webthing-iotjs-20181027rzr
Phil www.rzr.online.fr
 
Android Development with Kotlin, Part 1 - Introduction
Android Development with Kotlin, Part 1 - IntroductionAndroid Development with Kotlin, Part 1 - Introduction
Android Development with Kotlin, Part 1 - Introduction
Andreas Jakl
 
Embedded Android Workshop with Pie
Embedded Android Workshop with PieEmbedded Android Workshop with Pie
Embedded Android Workshop with Pie
Opersys inc.
 
Embedded Android Workshop with Marshmallow
Embedded Android Workshop with MarshmallowEmbedded Android Workshop with Marshmallow
Embedded Android Workshop with Marshmallow
Opersys inc.
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.
 
webthing-iotjs-tizenrt-cdl2018-20181117rzr
webthing-iotjs-tizenrt-cdl2018-20181117rzrwebthing-iotjs-tizenrt-cdl2018-20181117rzr
webthing-iotjs-tizenrt-cdl2018-20181117rzr
Phil www.rzr.online.fr
 

Recomendados

Micro Frontends Architecture - Jitendra kumawat (Guavus)
Micro Frontends Architecture - Jitendra kumawat (Guavus)Micro Frontends Architecture - Jitendra kumawat (Guavus)
Micro Frontends Architecture - Jitendra kumawat (Guavus)
Tech Triveni
 
Building a Browser for Automotive: Alternatives, Challenges and Recommendations
Building a Browser for Automotive: Alternatives, Challenges and RecommendationsBuilding a Browser for Automotive: Alternatives, Challenges and Recommendations
Building a Browser for Automotive: Alternatives, Challenges and Recommendations
juanjosanchezpenas
 
webthing-iotjs-20181027rzr
webthing-iotjs-20181027rzrwebthing-iotjs-20181027rzr
webthing-iotjs-20181027rzr
Phil www.rzr.online.fr
 
Android Development with Kotlin, Part 1 - Introduction
Android Development with Kotlin, Part 1 - IntroductionAndroid Development with Kotlin, Part 1 - Introduction
Android Development with Kotlin, Part 1 - Introduction
Andreas Jakl
 
Embedded Android Workshop with Pie
Embedded Android Workshop with PieEmbedded Android Workshop with Pie
Embedded Android Workshop with Pie
Opersys inc.
 
Embedded Android Workshop with Marshmallow
Embedded Android Workshop with MarshmallowEmbedded Android Workshop with Marshmallow
Embedded Android Workshop with Marshmallow
Opersys inc.
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.
 
webthing-iotjs-tizenrt-cdl2018-20181117rzr
webthing-iotjs-tizenrt-cdl2018-20181117rzrwebthing-iotjs-tizenrt-cdl2018-20181117rzr
webthing-iotjs-tizenrt-cdl2018-20181117rzr
Phil www.rzr.online.fr
 
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Paolo Nesi
 
GDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
GDG Cloud Southlake #10 Christian Posta: Future of Service MeshGDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
GDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
JamesAnderson599331
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
Opersys inc.
 
Embedded Android Workshop with Marshmallow
Embedded Android Workshop with MarshmallowEmbedded Android Workshop with Marshmallow
Embedded Android Workshop with Marshmallow
Karim Yaghmour
 
Embedded Android Workshop with Marshmallow
Embedded Android Workshop with MarshmallowEmbedded Android Workshop with Marshmallow
Embedded Android Workshop with Marshmallow
Opersys inc.
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
Opersys inc.
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
Opersys inc.
 
Efficient and effective: can we combine both to realize high-value, open, sca...
Efficient and effective: can we combine both to realize high-value, open, sca...Efficient and effective: can we combine both to realize high-value, open, sca...
Efficient and effective: can we combine both to realize high-value, open, sca...
Research Data Alliance
 
Mobile Apps from TYPO3
Mobile Apps from TYPO3Mobile Apps from TYPO3
Mobile Apps from TYPO3
Bodor László
 
Manage Your Router with Dynamic Public IP
Manage Your Router with Dynamic Public IPManage Your Router with Dynamic Public IP
Manage Your Router with Dynamic Public IP
GLC Networks
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
Opersys inc.
 
What are DApps, and how are they useful?
What are DApps, and how are they useful?What are DApps, and how are they useful?
What are DApps, and how are they useful?
OliviaJune1
 
Embedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon VEmbedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon V
Opersys inc.
 
Embedded Android Workshop with Oreo
Embedded Android Workshop with OreoEmbedded Android Workshop with Oreo
Embedded Android Workshop with Oreo
Opersys inc.
 
mEducation Alliance Symposium - Oct 2019
mEducation Alliance Symposium - Oct 2019mEducation Alliance Symposium - Oct 2019
mEducation Alliance Symposium - Oct 2019
Hal Speed
 
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
Paolo Viskanic
 
Lowering the entry barrier for INSPIRE compliant Web Services
Lowering the entry barrier for INSPIRE compliant Web ServicesLowering the entry barrier for INSPIRE compliant Web Services
Lowering the entry barrier for INSPIRE compliant Web Services
smespire
 
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
IBM Connections Developers
 
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Niklas Heidloff
 
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE PlatformECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
JangHee Lee
 
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
Worteks
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
Worteks
 

Más contenido relacionado

Similar a [OW2con19] LemonLDAP::NG success stories

Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Paolo Nesi
 
Embedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon VEmbedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon V
Opersys inc.
 
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
Paolo Viskanic
 
Lowering the entry barrier for INSPIRE compliant Web Services
Lowering the entry barrier for INSPIRE compliant Web ServicesLowering the entry barrier for INSPIRE compliant Web Services
Lowering the entry barrier for INSPIRE compliant Web Services
smespire
 
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
IBM Connections Developers
 
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Niklas Heidloff
 
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE PlatformECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
JangHee Lee
 

Similar a [OW2con19] LemonLDAP::NG success stories (20)

Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
Snap4City November 2019 Course: Smart City IOT platform installation, deploy,...
 
GDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
GDG Cloud Southlake #10 Christian Posta: Future of Service MeshGDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
GDG Cloud Southlake #10 Christian Posta: Future of Service Mesh
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
 
Embedded Android Workshop with Marshmallow
Embedded Android Workshop with MarshmallowEmbedded Android Workshop with Marshmallow
Embedded Android Workshop with Marshmallow
 
Embedded Android Workshop with Marshmallow
Embedded Android Workshop with MarshmallowEmbedded Android Workshop with Marshmallow
Embedded Android Workshop with Marshmallow
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
 
Embedded Android Workshop
Embedded Android WorkshopEmbedded Android Workshop
Embedded Android Workshop
 
Efficient and effective: can we combine both to realize high-value, open, sca...
Efficient and effective: can we combine both to realize high-value, open, sca...Efficient and effective: can we combine both to realize high-value, open, sca...
Efficient and effective: can we combine both to realize high-value, open, sca...
 
Mobile Apps from TYPO3
Mobile Apps from TYPO3Mobile Apps from TYPO3
Mobile Apps from TYPO3
 
Manage Your Router with Dynamic Public IP
Manage Your Router with Dynamic Public IPManage Your Router with Dynamic Public IP
Manage Your Router with Dynamic Public IP
 
Embedded Android Workshop with Nougat
Embedded Android Workshop with NougatEmbedded Android Workshop with Nougat
Embedded Android Workshop with Nougat
 
What are DApps, and how are they useful?
What are DApps, and how are they useful?What are DApps, and how are they useful?
What are DApps, and how are they useful?
 
Embedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon VEmbedded Android Workshop at AnDevCon V
Embedded Android Workshop at AnDevCon V
 
Embedded Android Workshop with Oreo
Embedded Android Workshop with OreoEmbedded Android Workshop with Oreo
Embedded Android Workshop with Oreo
 
mEducation Alliance Symposium - Oct 2019
mEducation Alliance Symposium - Oct 2019mEducation Alliance Symposium - Oct 2019
mEducation Alliance Symposium - Oct 2019
 
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
FreeGIS.net presentation at the Geospatial World Forum in Rotterdam 2013
 
Lowering the entry barrier for INSPIRE compliant Web Services
Lowering the entry barrier for INSPIRE compliant Web ServicesLowering the entry barrier for INSPIRE compliant Web Services
Lowering the entry barrier for INSPIRE compliant Web Services
 
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
 
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
Programmatic Access to and Extensibility of the IBM SmartCloud for Social Bus...
 
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE PlatformECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
ECCK Innovation Forum 2018 - Industry Renaissance with 3DEXPERIENCE Platform
 

Más de Worteks

Más de Worteks (20)

[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
[Open Source Experience 2021] Une infrastructure Cloud et une solution IDaaS ...
 
[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service[Identity Days 2021] W'IDaaS - Identity as a Service
[Identity Days 2021] W'IDaaS - Identity as a Service
 
[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?[Identity Days 2021] Quel avenir pour OpenLDAP ?
[Identity Days 2021] Quel avenir pour OpenLDAP ?
 
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
[Pass the SALT 2021] Hosting Identity in the Cloud with free softwares
 
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
[OW2con'21] Hosting Identity in the Cloud with OW2 free softwares
 
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password[AFUP Lyon 2021] LDAP Tool Box Self Service Password
[AFUP Lyon 2021] LDAP Tool Box Self Service Password
 
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
[OpenDay 2021] Logiciel libre, entreprises et modèles économiques
 
[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet[Campus du Libre 2020] Présentation de la solution W'Sweet
[Campus du Libre 2020] Présentation de la solution W'Sweet
 
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
[Identity Days 2020] Politique des mots de passe des annuaires LDAP et outils...
 
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
[Université Lyon 1] Exemples de logiciels libres : LemonLDAP::NG et W'Sweet
 
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
[Pass the SALT 2020] Understand password policy in OpenLDAP and discover tool...
 
[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector[OW2online 2020] LDAP Synchronization Connector
[OW2online 2020] LDAP Synchronization Connector
 
[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?[Aperhologramme 2020] Comment faire du logiciel libre ?
[Aperhologramme 2020] Comment faire du logiciel libre ?
 
[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?[POSS 2019] OVirt and Ceph: Perfect Combination.?
[POSS 2019] OVirt and Ceph: Perfect Combination.?
 
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
[POSS 2019] MicroServices authentication and authorization with LemonLDAP::NG
 
[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies[POSS 2019] TLS for Dummies
[POSS 2019] TLS for Dummies
 
[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes[POSS 2019] Learn AWK in 15 minutes
[POSS 2019] Learn AWK in 15 minutes
 
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Feder...
 
[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative[LDAPCon 2019] The FusionIAM initiative
[LDAPCon 2019] The FusionIAM initiative
 
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
[Identity Days 2019] Maîtrisez les accès à vos applications Web (Cloud et On...
 

Último

Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 

Último (20)

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 

[OW2con19] LemonLDAP::NG success stories

  • 3. 12/06/2019 3 SSO Workflow Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token
  • 4. 12/06/2019 4 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
  • 5. 12/06/2019 5 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
  • 7. 12/06/2019 7 Portal with application menu
  • 10. 12/06/2019 10 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 ● SSO component of FusionIAM project: https://fusioniam.org/
  • 11. 12/06/2019 11 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
  • 12. 12/06/2019 12 Web application Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
  • 13. 12/06/2019 13 CAS, SAML and OpenID Connect ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
  • 14. 12/06/2019 14 Second Factor Authentication (2FA) ● LemonLDAP::NG can use the following 2FA: ● TOTP ● U2F ● TOTP or U2F ● Mail ● External ● REST ● Yubikey
  • 15. 12/06/2019 15 DevOps (SSO as a Service) Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers rules .json Access rules Exported headers
  • 16. 12/06/2019 16 API – Service Token Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
  • 17. 12/06/2019 17 OpenID Connect / OAuth2 Sessions Portal Handler Web Application Authentication Session creation Session read OAuth2 Access Token HTTP headers
  • 18. 12/06/2019 18 RENATER / eduGAIN ● Support of RENATER / eduGAIN via SAML2: ● Service Provider ● Identity Provider ● Call to Identity Provider selection page (WAYF) via SAML Discovery Protocol ● Metadata bulk import script
  • 19. 12/06/2019 19 Plugin engine ● Portal code was fully rewritten, and it now allows to write plugins ● Plugin examples, provided by default: ● Auto Signin: direct authentication for some IP ● Brute Force: protect against brute-force attacks ● Stay Connected: "remember me" button ● Public Pages: create static pages using portal skin ● Impersonation: take the identity of another user ● Write a custom plugin: https://lemonldap-ng.org/documentation/latest/plugincustom
  • 20. 12/06/2019 20 The beginning of the journey
  • 21. 12/06/2019 2105/06/2019 Orange is a complex environment… With many people and kind of skills With thousands applications In a full motion environment
  • 22. 12/06/2019 22 Orange is a complex environment in complex world… § Orange made or bought. § Including SSO compatibility or not. § Accessible from Internet or Intranet. § Security access level specific for each. § Each application has its own livecyle. § Our users want the same quality on work tools than on the personnal offer on Internet. § Rise of « fashion tool ». Long time parthnerships § Orange people § Contractors § Partners § Universities On demand relationships § Freelances with few days contracts With many people and kind of skills With thousands applications In a full motion environment
  • 23. 12/06/2019 23 …With the constraints and needs than others… Manage all identification / authentication cases Manage all identification / authentication cases Allow access from different contexts Allow access from different contexts Keep things as transparent as possible for users Keep things as transparent as possible for users Manage all kinds of users Manage all kinds of users Provide many types of protocols Provide many types of protocols Guaranty high security level Guaranty high security level Flexible to support futur Flexible to support futur Guaranty a high availability level Guaranty a high availability level Keep It Complex Stupid Keep It Complex Stupid Simple Have a single system to authenticate users Have a single system to authenticate users
  • 24. 12/06/2019 24 …So we are building a scalable LemonLDAP::NG infrastructure… ConfigConfig SessionsSessions ConfigConfig SessionsSessions Kerber os Kerber os 11 then if user come from internal SAML A P P L I C A T I O N S A P P L I C A T I O N S E X T E R N A L E X T E R N A L I N T E R N A L I N T E R N A L HA int HA int Lemon int 1 Lemon int 1 Lemon int 2 Lemon int 2 HA ext HA ext Lemon ext 1 Lemon ext 1 Lemon ext 2 Lemon ext 2 OidCOidC 22 REST  LDAP REST  LDAP 33 LDAPLDAP 44 External accounts External accounts Orange accounts Orange accounts
  • 25. 12/06/2019 25 ...And we are at the beginning of the journey... We have tested LemonLdap in real conditions on many applications used by innovation people:
  • 26. 12/06/2019 26 …Under industrialisation by a specialized team. Another team to « build » Another team to « build » First team to « think » First team to « think » - Test LemonLdap and try to get its limits - Test the potential architectures - Test intégration with about 20 applications (gitlab, nextcloud, jira & confluence, Dokuwiki, Apache 2, Flexible Engine, Grafana, WebCom, WordPress, OpenStack…). - Test authentication protocols and ways (OTP, …) - Test LemonLdap and try to get its limits - Test the potential architectures - Test intégration with about 20 applications (gitlab, nextcloud, jira & confluence, Dokuwiki, Apache 2, Flexible Engine, Grafana, WebCom, WordPress, OpenStack…). - Test authentication protocols and ways (OTP, …) - Get the results of the previous level to create an « industrial solution » able to support millions people. - Get the results of the previous level to create an « industrial solution » able to support millions people. Final team to« Run » Final team to« Run »
  • 27. 12/06/2019 27 Orange-Worteks Partnership ● Worteks offers a framework contract for support around LemonLDAP::NG and other free softwares, with two parts: ● Incident management: a ticket can be opened to solve any fault on a production or development system (business hours) ● Evolutions: a request can be done to fix bugs or code new features in the software ● Any Orange Business Unit can request a contract, prices are already defined ● It can then contribute to LemonLDAP::NG roadmap by requesting evolutions
  • 28. 12/06/2019 2805/06/2019 28 Thanks to all the contributors Thank you to all the contributors to this project, for their competence, their good humor and their motivation that are overcoming all the problems that veinly tried to stand up against us: ● The LemonLDAP::NG Team (Clément, Xavier and all the others). ● Worteks for the support. ● Orange internal contributors : Christian P., Laurence T. , Daniel V., David M., Ronan H.B., Aurelien P., Alexandre L., Jean-Louis F. ● All others success keys in this project:
  • 30. 12/06/2019 30 History ● 2002: First WebSSO GN (SiteMinder) ● Licencing cost : 90 k€/year for 5000 users (target ~1 M€/year) → Take LemonLDAP over from the Ministry of finance ● 2005: Development of LL::NG (fork), SSO now used by (almost) all civil services
  • 31. 12/06/2019 31 Budget ● Project build (excluding machine cost) : ● Between 2005 and 2015: ~ 150 k€ ● 2015 : 100 K€ ● 2016 & 2017: 0 € ● 2018 : 25 k€ ● 2019 : 0 €
  • 32. 12/06/2019 32 Technical team for all ST(SI) SSO² ● X. Guimard : Lead developer LL::NG ● S. Marcq : Project manager ● A. Rosier & C.Maudoux : developers and administrators
  • 33. 12/06/2019 33 Platforms ● Proxyma → GN ● CheopsNG → PN ● PSI → SP (SAML with interior security services) ● Judiweb → SP RIE (government network) ● Curasso & Espresso → internet SSO ● SAML with 12 civil services
  • 34. 12/06/2019 34 Proxyma : SSO GN ● ~ 22 millions requests / day ● ~ 65 000 unique users / day ● 253 different applications used / day ● 12 reverse proxies ● 7 LDAP servers ● 4 portals
  • 35. 12/06/2019 35 Top 10 connection’s peak during 10 min
  • 36. 12/06/2019 36 Top 10 event’s peak during 10 min
  • 37. 12/06/2019 37 Top 10 unique user’s peak during 10 min
  • 39. 12/06/2019 39 « good authentification » / month
  • 40. 12/06/2019 40 2019/2020 Evolution ● Upgrade all platform → LL::NG 2.0 ● Connect Agent implementation ● 2FA implementation ● Cloud : SSO as a service (handler devops + scalability)
  • 41. 4141 THANKS Pour plus d’informations : info@worteks.com @worteks_com linkedin.com/company/worteks