Clément OUDOT. 2 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion.

Slides:



Advertisements
Similar presentations
METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Advertisements

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
MyProxy: A Multi-Purpose Grid Authentication Service
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.
Unit 5: Building Presentation Layer Applications with ASP.NET 2.0.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Understanding Active Directory
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.
03/07/08 © 2008 DSR and LDAP Authentication Avocent Technical Support.
Delivering Excellence in Software Engineering ® EPAM Systems. All rights reserved. ASP.NET Authentication.
BZUPAGES.COM An Introduction to. BZUPAGES.COM Introduction Large corporations today face the following problems Finding a certain file. Seeing everything.
Shibboleth-intro-dec051 Shibboleth A Technical Overview Tom Scavo NCSA.
AAI with simpleSAMLphp
Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Submitted by: Madeeha Khalid Sana Nisar Ambreen Tabassum.
Authorization Use Cases Identity and Authorization Services Working Group (IAS-WG) April, 2010.
Identity Management Report By Jean Carreon and Marlon Gonzales.
I2Q & WMnet Pilot Presented by Jason Rousell – i2Q Jay Neale - i2Q.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Using SAS® Information Map Studio
1 st LDAP Conference 2007, Köln Germany 6-7 September 2007 Moving LDAP Writes to Web Services Kostas Kalevras National Technical University of Athens,
A Flexible Access Control Model for Web Services Elisa Bertino CERIAS and CS Department, Purdue University Joint work with Anna C. Squicciarini – University.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Module 11: Securing a Microsoft ASP.NET Web Application.
Workshop Presentation [1] Investigating Liberty Alliance and Shibboleth Integration Nishen Naidoo, Supervisor: Dr. Steve Cassidy.
Shibboleth: An Introduction
Internet2 Middleware Initiative Shibboleth Ren é e Shuey Systems Engineer I Academic Services & Emerging Technologies The Pennsylvania State University.
NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.
Copyright © 2006 Pilothouse Consulting Inc. All rights reserved. Search Overview Search Features: WSS and Office Search Architecture Content Sources and.
PAPI: Simple and Ubiquitous Access to Internet Information Services JISC/CNI Conference - Edinburgh, 27 June 2002.
AACLS Documentation LDAP and releasing information issue ACL and ACI AACLS Model Physical Architecture Logical Architecture Example : a French university.
February, TRANSCEND SHIRO-CAS INTEGRATION ANALYSIS.
JAVA BEANS JSP - Standard Tag Library (JSTL) JAVA Enterprise Edition.
1 Active Directory Service in Windows 2000 Li Yang SID: November 2000.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
WSO2 Identity Server 4.0 Fall WSO2 Carbon Enterprise Middleware Platform 2.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Community Sign-On and BEN. Table of Contents  What is community sign-on?  Benefits  How it works (Shibboleth)  Shibboleth components  CSO workflow.
The FederID project The First Identity Management and Federation Free Software.
The LemonLDAP::NG project
1 Directory Services  What is a Directory Service?  Directory Services model  Directory Services naming model  X.500 and LDAP  Implementations of.
19 Copyright © 2008, Oracle. All rights reserved. Security.
ArcGIS for Server Security: Advanced
CollegeSource Security Application &
HMA Identity Management Status
Identity Federations - Overview
Prime Service Catalog 12.0 SAML 2.0 Single Sign-On Support
VI-SEEM Data Discovery Service
Server Concepts Dr. Charles W. Kann.
Introduction How to combine and use services in different security domains? How to take into account privacy aspects? How to enable single sign on (SSO)
Sébastien BAHLOUL LINAGORA 5 April 2006 – ObjectWeb Meeting - Grenoble
IIS.
ESA Single Sign On (SSO) and Federated Identity Management
What’s changed in the Shibboleth 1.2 Origin
Analysis models and design models
Community AAI with Check-In
SDMX IT Tools SDMX Registry
Presentation transcript:

Clément OUDOT

2 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

3 LINAGORA Group ● LINAGORA Group, this is: – 100 persons – Implantations in Paris, Lyon and Toulouse – Results: 9 billions euros for 2007 – Training, Support, Integration, Consulting – Only Free Software !

4 OSSA ● Open Source Software Assurance : – Bring our customers support on more than 250 Free Softwares – Patches delivered within 8 hours – Patches always submitted to the communities – Bugs report on critical architectures, not tested by the community developers

5 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

6 A question of Identity ● A digital entity is a set of attributes describing an entity ● A subset named credentials are used for authentication ● An entity (a user) can own many identities ● Each identity has roles and rights within an application (service provider)

7 A question of Identity ● Services provider manage the identities : – For a service provider : 1 user = 1 identity – For an user : 1 service = 1 identity

8 A question of Identity ● We need Identity Management ! – Referential of identities (LDAP Directory) – Provisioning services – Access control on data (LDAP ACLs) – Access control on applications (SSO rules) ● We need Identity Federation ! – Keep different identities for private life purpose – Federate accounts to benefits from other services

9 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

10 Liberty Alliance ● Grounded in 2001 by SUN and 13 others partners ● More than 1500 members ● Goals : – Open Federation Standard – Respect of private life in numeric space

11 Liberty Alliance Des k Sponsor s

12 Liberty Alliance ● Three standards frameworks : – ID-FF (Federation Framework) : ● SSO, SLO ● Federation mechanisms – ID-WSF (Web Services Framework) : ● Attribute sharing ● Interaction service – ID-SIS (Service Interface Specifications) : ● Interface between services

13 Liberty Alliance Service Provider Identity Provider Service Provider Attributes Provider

14 Liberty Alliance

15 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

16 The FederID architecture ● LASSO API: Library of the Liberty Alliance specifications, C ● InterLDAP: LDAP tool suite for content management, J2EE (Spring-LDAP, Tapestry 5) ● LemonLDAP::NG: Web SSO tool with authorization management, Perl ● Authentic: Liberty Alliance identity provider, Python

17 The FederID architecture LDAP Director y Circl e ofTrust Authenti c Identity Provider Content Management [WUI] Attribut e Provider [LAAP] SSO & Authorization s Service Provider Standard Web application Standard Web application

18 The FederID architecture ● Authentic : – Liberty Alliance identity provider – Authentication of users against an LDAP server, a database or simple flat text files – Forcing LDAP authentication within FederID – Capable of forwarding LDAP attributes into SAML responses

19 The FederID architecture ● LemonLDAP::NG: – WebSSO product based on Apache Perl Handler technology. – Offering three modules : ● Handler: protect the application ● Portal: where the user is redirected when not authenticated ● Manager: graphical interface enabling the configuration of LemonLDAP::NG.

20 The FederID architecture Protected Area Agent (Handler) WebSSO Portal SessionsLDAP Identity Provider user password Assertion Consumer

21 The FederID architecture ● InterLDAP-LAAP: – Liberty Alliance Attribute Provider – IF-FF and ID-WSF frameworks – Mapping of the representation of a person between LDAP and Liberty Alliance – Share LDAP attributes trough normalized Web Services

22 The FederID architecture Users LAA P LDAP Directory Service Provider Identity Provider

23 The FederID architecture ● InterLDAP-WUI: – Content Management System for an LDAP directory – Enriched schema designing the interface “on the fly” – Authorization back-end – Delegation is enabled by setting trees and groups properties for each part of the Directory Information Tree

24 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

25 Advanced use of LDAP ● SSO stack: – Authentication against LDAP (or LA IdP) – Authorizations against LDAP Filter : ● First select the attributes needed for the filter ● Define logical groups : business => '(departmentUID=MyBusinessEntity)' ● Protect your area : ^/site/.*$=> $groups =~ /bbusinessb/ ^/(js|css)=> accept default => deny =>No need to manage groups into Directory !

26 Advanced use of LDAP ● Standard LDAP Schema: mono/multi- valuated, syntax, matching rules,... ● Enriched schema: – Labels/descriptions – List of values/Default value – Visible/filterable/modifiable – Double capture

27 Advanced use of LDAP ● The power of SQL for LDAP: – LDAP Query Language – For reading only – Doing searches on results of a primary search – LQL request stored as an LDAP attribute value

28 Advanced use of LDAP ● LQL functions: – search/list/read (DN, FILTER) – sup (DN, N): raise the tree from “DN” for “N” levels – fsup (BASE, FILTER): return the first parent of ”BASE” selected by “FILTER” – and/or: union/intersection – group (DNGROUP, DNMEMBER): check if “DNMEMBER” belongs to “DNGROUP” – concat: strings concatenation

29 Advanced use of LDAP ● And some variables: – $namingContext: suffix of the tree. – $targetDN: DN targeted by the operation. – $targetRDN: RDN targeted by the operation. – $authorDN: DN of the author of the operation (as it is bound on the directory). – $authorRDN: RDN of the author of the operation.

30 Advanced use of LDAP ● LQL example : attribute(attribute(sup(search(ou=structs,$ namingContext,$targetRDN),1),manager),cn)

31 Advanced use of LDAP ● Proxy-Authz control: – Before this control, need to maintain a connection on the directory per user – Now, we can use pool of connection with rootdn binds + Proxy-Authz ● No-op: – Goal: know if a user can write before writing! – Need to test the alternative 'Get effective rights'

32 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

33 Conclusion Join us!

Thank you – Danke sehr

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com. Inc. All rights reserved.