[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Federation, WebService and API protection
0 likes1,054 views
LemonLDAP::NG 2.0 is an open source software that provides multi-factor authentication, identity federation, and API/web service protection capabilities. It has features like single sign-on, an applications portal, support for protocols like CAS, SAML, and OpenID Connect, and second factor authentication options. LemonLDAP::NG can act as an identity provider or service provider for identity federation using protocols like CAS, SAML, and OpenID Connect, and includes handlers to authenticate and authorize access to APIs and web services using techniques like JSON web tokens and OAuth2 flows.
![[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Federation, WebService and API protection](https://image.slidesharecdn.com/preldapcon2019lemonldapng-191106100705/85/LDAPCon-2019-LemonLDAP-NG-2-0-Mutli-factor-authentication-Identity-Federation-WebService-and-API-protection-22-320.jpg)
![[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Federation, WebService and API protection](https://image.slidesharecdn.com/preldapcon2019lemonldapng-191106100705/85/LDAPCon-2019-LemonLDAP-NG-2-0-Mutli-factor-authentication-Identity-Federation-WebService-and-API-protection-23-320.jpg)
[LDAPCon 2019] LemonLDAP::NG 2.0: Mutli-factor authentication, Identity Federation, WebService and API protection
- 1. LEMONLDAP::NG 2.0: MUTLI-FACTOR AUTHENTICATION, IDENTITY FEDERATION, WEBSERVICE AND API PROTECTION Clément OUDOT – Identity Solutions Manager clement.oudot@worteks.com
- 2. 05/11/19 2 Single Sign On
- 3. 05/11/19 3 LDAPCon Single Sign On ● LDAPCon 2007: The FederID Project ● LDAPCon 2011: The LemonLDAP::NG project ● LDAPCon 2015: The OpenID Connect Protocol ● LDAPCon 2017: Understanding main SSO protocols: CAS, SAML and OpenID Connect ● LDAPCon 2019: LemonLDAP::NG workshop and conference
- 4. 05/11/19 4 SSO Workflow Authentication Portal Application 2. Authentication 1. First access 3. Send SSO Token Trust link 4. Validate SSO token
- 6. 05/11/19 6 History 2003 2006 2010 2016 2018 Project creation Fork – version NG Protocols CAS, SAML and OpenID Version 1.0 Protocol OpenID Connect Second factors (2FA) Version 2.0
- 7. 05/11/19 7 Main features ● Web Single Sign On ● Access control ● Applications portal ● Authentication modules choice and chain ● Password management, account creation ● Multi-factor authentication (MFA) ● Protection of Web applications and API/WebServices ● Graphical customisation ● Packages for Debian/Ubuntu/RHEL/CentOS
- 9. 05/11/19 9 Portal with application menu
- 10. 05/11/19 10 Web Administration interface
- 11. 05/11/19 11 Command Line Interface
- 12. 05/11/19 12 Free Software ● License GPL ● OW2 project ● Forge: https://gitlab.ow2.org/lemonldap-ng/lemonldap-ng ● Site: https://lemonldap-ng.org ● OW2 Community Award in 2014 and 2018 ● SSO component of FusionIAM project: https://fusioniam.org/
- 13. 05/11/19 13 Component roles Configurations Sessions Portal Manager Handler Application menu CAS SAML OpenID Connect Self Services SOAP/REST server Session management Configurations Sessions Notifications Second factors Access Control SSOaaS Web Service Token Custom
- 14. 05/11/19 14 Web application protection with Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers
- 15. 05/11/19 15 Multi Factor Authentication
- 16. 16 Multi Factor Authentication ● Multi-factor authentication (MFA) is a method of confirming a user's claimed identity in which a user is granted access only after successfully presenting 2 or more pieces of evidence (or factors) to an authentication mechanism: ● knowledge (something they and only they know) ● possession (something they and only they have) ● inherence (something they and only they are)
- 17. 17 One-Time Password ● One-Time Password (OTP) is a password that is valid for only one login session or transaction ● Two standards: ● HOTP (RFC 4226): HMAC-Based One-Time Password ● TOTP (RFC 6238): Time-Based One-Time Password ● Rely on a secret shared between user and server
- 18. TOTP ● Shared secret key K ● T0: start time ● TI: time interval ● Time Counter TC = floor((unixtime(now) − unixtime(T0)) / TI) ● TOTP = Truncate( SHA1(K 0x5c5c… SHA1(K 0x3636… TC))⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ TC)) ∥ SHA1(K ⊕ 0x3636… ∥ TC)) ⊕ 0x5c5c… ∥ SHA1(K ⊕ 0x3636… ∥ TC)) ∥ SHA1(K ⊕ 0x3636… ∥ TC)) ) & 0x7FFFFFFF ● TOTP Value = TOTP mod 10d, where d is the desired number of digits of the one-time password
- 19. Using a TOTP ● Registration on client: shared key can be registered manually or using a QR code ● Server associates shared secret to user ● At next authentication, TOTP value is computed by client and server
- 20. Universal Second Factor ● Universal 2nd Factor (U2F) is an open authentication standard that strengthens and simplifies two-factor authentication using specialized USB or NFC devices. ● Managed by FIDO Alliance https://fidoalliance.org/
- 21. Using U2F ● Registration: Token generates private/public keys and a handle and send public key and handle to server ● The server associates the public key and the handle to user ● At next authentication, server sends the handle and a crypto challenge and the U2F token signs the challenge and sends it back
- 24. 24 Support in LL::NG ● LemonLDAP::NG can use the following 2FA: ● TOTP ● U2F ● TOTP or U2F ● Mail ● External ● REST ● Yubikey
- 26. 05/11/19 26 Main features ● LL::NG can act as client and as server ● Attributes sharing ● Manage authentication contexts and levels ● Autogeneration of public/private keys ● Access control per services ● Publication of configuration data (metadata) ● Multi-protocols gateway ● Single logout
- 27. 05/11/19 27 CAS CAS client CAS server First access Redirection for authentication Service TicketService Ticket Service ticket validation Access to identity
- 28. 05/11/19 28 SAML Service Provider (SP) Identity Provider (IDP) First access IDP choice Authentication request Authentication response Authentication response Signature verification Read assertion
- 29. 05/11/19 29 OpenID Connect Relying Party (RP) OpenID Provider (OP) First access OP choice Authentication request JWT JWT Signature verification Read JWT Get UserInfo
- 30. 05/11/19 30 API / WebService protection
- 31. 05/11/19 31 How to protect a WebService ● Global authentication: ● HTTP Basic ● SSL client certificate ● User oriented authentication?
- 32. 05/11/19 32 LL::NG ServiceToken Handler ● New Handler "Service Token" installed between application and WebService ● Main Handler generates a token based on time session_id and virtual hosts: cipher(time, session_id, vhost_list) ● The token is sent by application to WebService ● The Handler "Service Token" intercepts the token, validates it and apply access rules, and sent HTTP headers to WebService
- 33. 05/11/19 33 LL::NG ServiceToken Handler Sessions Portal Handler Web Application Authentication Session creation Session read SSO cookie HTTP headers Token Handler Service Token Web Service Token HTTP headers Session read
- 34. 05/11/19 34 Using OAuth2 ● When LL::NG acts as OIDC provider, it delivers an OAuth2 access token ● This access token can be validated with different operations: ● Call /oauth2/userinfo, which will return user attributes ● Call /oauth2/introspect, which will return token information (including the token owner) – see RFC 7662 ● Use LL::NG OAuth2 Handler
- 35. 05/11/19 35 LL::NG OAuth2 Handler Sessions Portal Web Application Authentication Session creation OIDC response Handler OAuth2 Web Service Access Token HTTP headers Session read ID Token Access Token
- 36. 05/11/19 36 Example – UserInfo Endpoint $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/userinfo | json_pp { "family_name" : "OUDOT", "name" : "Clément OUDOT", "email" : "clement@oodo.net", "sub" : "coudot" }
- 37. 05/11/19 37 Example – Intropsection Endpoint $ curl -k -H "Authorization: Basic bGVtb25sZGFwOnNlY3JldA==" -X POST -d "token=a74d504ec9e784785e70a1da2b95d1d2" https://auth.openid.club/oauth2/introspect | json_pp { "client_id" : "lemonldap", "sub" : "coudot", "exp" : 1572446485, "active" : true, "scope" : "openid profile address email phone" }
- 38. 05/11/19 38 Example – Oauth2 Handler $ curl -k -H "Authorization: Bearer a74d504ec9e784785e70a1da2b95d1d2" https://oauth2.openid.club/api.pl { "check" : "true", "user" : "coudot" }
- 39. 3939 THANKS FOR YOUR ATTENTION More informations: info@worteks.com @worteks_com linkedin.com/company/worteks