#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::NG - CLEMENT OUDOT
0 likes23 views
The document outlines microservices authentication and authorization using LemonLDAP::ng, focusing on features like web single sign-on, multi-factor authentication, and API/web service protection. It details the software's capabilities as both a client and server, discussing protocols such as CAS, SAML, and OpenID Connect. Additionally, it provides examples of using OAuth2 for user authentication and token verification.
#OSSPARIS19 - MicroServices authentication and authorization with LemonLDAP::NG - CLEMENT OUDOT
- 1. MicroServices authentication and authorization with LemonLDAP::NG Clément OUDOT – Identity Solutions Manager [email protected]
- 2. 2 (v .t ks)ɔʁ ɛ Services Heterogeneous and complex infrastructures, cloud, mail, authentication, security Studies, audit and consulting Technical expertise Technical support Training R&D Edition Collaboration and application portal Mutualized platform for development Identity and Access Management Partnership
- 4. 4 Imagine SSOng Imagine there are no passwords Or maybe just only one A single secured form To access our applications Imagine all the users Loving security Imagine applications No more storing passwords Relying on a token Even for authorizations Imagine all developers Loving security Imagine some protocols Made by clever people CAS, OpenID or SAML Even WS Federation Imagine authentication Interoperability You may say I'm a hacker But I'm not the only one I hope one day You will log in Using the Single Sign On © John Lennon
- 5. 5 Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token SSO workflow
- 6. 6 Y O L O You Only Log Once
- 8. 8 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
- 9. 9 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
- 10. 10 Login page
- 11. 11 Portal with application menu
- 14. 14 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 and 2018 ● SSO component of FusionIAM project: https://fusioniam.org/
- 15. 15 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
- 16. 16 Web application protection with Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
- 18. 12/06/19 18 Main features ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
- 19. 12/06/19 19 CAS CAS client CAS server First access Redirection for authentication Service TicketService Ticket Service ticket validation Access to identity
- 20. 12/06/19 20 SAML Service Provider (SP) Identity Provider (IDP) First access IDP choice Authentication request Authentication responseAuthentication response Signature verification Read assertion
- 21. 12/06/19 21 OpenID Connect Relying Party (RP) OpenID Provider (OP) First access OP choice Authentication request JWT JWT Signature verification Read JWT Get UserInfo
- 22. 22 API / WebService protection
- 23. 12/06/19 23 How to protect a WebService ● Global authentication: – HTTP Basic – SSL client certificate ● User oriented authentication?
- 24. 12/06/19 24 LL::NG ServiceToken Handler ● New Handler "Service Token" installed between application and WebService ● Main Handler generates a token based on time session_id and virtual hosts: cipher(time, session_id, vhost_list) ● The token is sent by application to WebService ● The Handler "Service Token" intercepts the token, validates it and apply access rules, and sent HTTP headers to WebService
- 25. 12/06/19 25 LL::NG ServiceToken Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
- 26. 12/06/19 26 Using OAuth2 ● When LL::NG acts as OIDC provider, it delivers an OAuth2 access token ● This access token can be validated with different operations: – Call /oauth2/userinfo, which will return user attributes – Call /oauth2/introspect, which will return token information (including the token owner) – see RFC 7662 – Use LL::NG OAuth2 Handler
- 27. 12/06/19 27 LL::NG OAuth2 Handler Sessions Portal Web Application Authentication Session creation OIDC response Handler OAuth2 Web Service Access Token HTTP headers Session read ID Token Access Token
- 28. 12/06/19 28 Example – UserInfo Endpoint $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/userinfo | json_pp { "family_name" : "OUDOT", "name" : "Clément OUDOT", "email" : "[email protected]", "sub" : "coudot" }
- 29. 12/06/19 29 Example – Intropsection Endpoint $ curl -k -H "Authorization: Basic bGVtb25sZGFwOnNlY3JldA==" -X POST -d "token=a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/introspect | json_pp { "client_id" : "lemonldap", "sub" : "coudot", "exp" : 1572446485, "active" : true, "scope" : "openid profile address email phone" }
- 30. 12/06/19 30 Example – Oauth2 Handler $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://oauth2.openid.club/api.pl { "check" : "true", "user" : "coudot" }
- 31. 31 Thanks for your attention More informations: [email protected] @worteks_com linkedin.com/company/worteks