Presentation is loading. Please wait.

Presentation is loading. Please wait.

Clément OUDOT. 2 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion.

Published byAugustine Barnett Modified over 8 years ago

Similar presentations

Presentation on theme: "Clément OUDOT. 2 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion."— Presentation transcript:

1 Clément OUDOT

2 2 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

3 3 LINAGORA Group ● LINAGORA Group, this is: – 100 persons – Implantations in Paris, Lyon and Toulouse – Results: 9 billions euros for 2007 – Training, Support, Integration, Consulting – Only Free Software !

4 4 OSSA ● Open Source Software Assurance : – Bring our customers support on more than 250 Free Softwares – Patches delivered within 8 hours – Patches always submitted to the communities – Bugs report on critical architectures, not tested by the community developers

5 5 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

6 6 A question of Identity ● A digital entity is a set of attributes describing an entity ● A subset named credentials are used for authentication ● An entity (a user) can own many identities ● Each identity has roles and rights within an application (service provider)

7 7 A question of Identity ● Services provider manage the identities : – For a service provider : 1 user = 1 identity – For an user : 1 service = 1 identity

8 8 A question of Identity ● We need Identity Management ! – Referential of identities (LDAP Directory) – Provisioning services – Access control on data (LDAP ACLs) – Access control on applications (SSO rules) ● We need Identity Federation ! – Keep different identities for private life purpose – Federate accounts to benefits from other services

9 9 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

10 10 Liberty Alliance ● Grounded in 2001 by SUN and 13 others partners ● More than 1500 members ● Goals : – Open Federation Standard – Respect of private life in numeric space

11 11 Liberty Alliance Des k Sponsor s

12 12 Liberty Alliance ● Three standards frameworks : – ID-FF (Federation Framework) : ● SSO, SLO ● Federation mechanisms – ID-WSF (Web Services Framework) : ● Attribute sharing ● Interaction service – ID-SIS (Service Interface Specifications) : ● Interface between services

13 13 Liberty Alliance Service Provider Identity Provider Service Provider Attributes Provider

14 14 Liberty Alliance

15 15 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

16 16 The FederID architecture ● LASSO API: Library of the Liberty Alliance specifications, C ● InterLDAP: LDAP tool suite for content management, J2EE (Spring-LDAP, Tapestry 5) ● LemonLDAP::NG: Web SSO tool with authorization management, Perl ● Authentic: Liberty Alliance identity provider, Python

17 17 The FederID architecture LDAP Director y Circl e ofTrust Authenti c Identity Provider Content Management [WUI] Attribut e Provider [LAAP] SSO & Authorization s Service Provider Standard Web application Standard Web application

18 18 The FederID architecture ● Authentic : – Liberty Alliance identity provider – Authentication of users against an LDAP server, a database or simple flat text files – Forcing LDAP authentication within FederID – Capable of forwarding LDAP attributes into SAML responses

19 19 The FederID architecture ● LemonLDAP::NG: – WebSSO product based on Apache Perl Handler technology. – Offering three modules : ● Handler: protect the application ● Portal: where the user is redirected when not authenticated ● Manager: graphical interface enabling the configuration of LemonLDAP::NG.

20 20 The FederID architecture Protected Area Agent (Handler) WebSSO Portal SessionsLDAP Identity Provider user password Assertion Consumer 1 2 3 4 5 6 7 8 9 1010 1 1212 1313 1414 1515

21 21 The FederID architecture ● InterLDAP-LAAP: – Liberty Alliance Attribute Provider – IF-FF and ID-WSF frameworks – Mapping of the representation of a person between LDAP and Liberty Alliance – Share LDAP attributes trough normalized Web Services

22 22 The FederID architecture Users LAA P LDAP Directory Service Provider Identity Provider

23 23 The FederID architecture ● InterLDAP-WUI: – Content Management System for an LDAP directory – Enriched schema designing the interface “on the fly” – Authorization back-end – Delegation is enabled by setting trees and groups properties for each part of the Directory Information Tree

24 24 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

25 25 Advanced use of LDAP ● SSO stack: – Authentication against LDAP (or LA IdP) – Authorizations against LDAP Filter : ● First select the attributes needed for the filter ● Define logical groups : business => '(departmentUID=MyBusinessEntity)' ● Protect your area : ^/site/.*$=> $groups =~ /bbusinessb/ ^/(js|css)=> accept default => deny =>No need to manage groups into Directory !

26 26 Advanced use of LDAP ● Standard LDAP Schema: mono/multi- valuated, syntax, matching rules,... ● Enriched schema: – Labels/descriptions – List of values/Default value – Visible/filterable/modifiable – Double capture

27 27 Advanced use of LDAP ● The power of SQL for LDAP: – LDAP Query Language – For reading only – Doing searches on results of a primary search – LQL request stored as an LDAP attribute value

28 28 Advanced use of LDAP ● LQL functions: – search/list/read (DN, FILTER) – sup (DN, N): raise the tree from “DN” for “N” levels – fsup (BASE, FILTER): return the first parent of ”BASE” selected by “FILTER” – and/or: union/intersection – group (DNGROUP, DNMEMBER): check if “DNMEMBER” belongs to “DNGROUP” – concat: strings concatenation

29 29 Advanced use of LDAP ● And some variables: – $namingContext: suffix of the tree. – $targetDN: DN targeted by the operation. – $targetRDN: RDN targeted by the operation. – $authorDN: DN of the author of the operation (as it is bound on the directory). – $authorRDN: RDN of the author of the operation.

30 30 Advanced use of LDAP ● LQL example : attribute(attribute(sup(search(ou=structs,$ namingContext,$targetRDN),1),manager),cn)

31 31 Advanced use of LDAP ● Proxy-Authz control: – Before this control, need to maintain a connection on the directory per user – Now, we can use pool of connection with rootdn binds + Proxy-Authz ● No-op: – Goal: know if a user can write before writing! – Need to test the alternative 'Get effective rights'

32 32 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion

33 33 Conclusion Join us! http://www.federid.org federid-dev@federid.org http://www.interldap.org interldap-dev@objectweb.org

34 Thank you – Danke sehr http://www.federid.org http://www.interldap.org

Download ppt "Clément OUDOT. 2 Table of contents ● LINAGORA Group ● A question of Identity ● Liberty Alliance ● The FederID architecture ● Advanced use of LDAP ● Conclusion."

Similar presentations

METALOGIC s o f t w a r e © Metalogic Software Corporation 2004-2006 DACS Developer Overview DACS – the Distributed Access Control System.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.
Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.

Eunice Mondésir Pierre Weill-Tessier 1 Federated Identity with Ping Federate Project Supervisor: M. Maknavicius-Laurent ASR Coordinator: G. Bernard ASR.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.

Access management for repositories: challenges and approaches for MAMS James Dalziel Professor of Learning Technology and Director, Macquarie E-Learning.
Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal 1 1 2 2 4 4 3,6 5 5 7 7 8 8 9 9 1010 1010 DNS Hello User Sample (Gateway)

Dispatcher Conditional Expression Static Request Filter Attribute Filter Portal , DNS Hello User Sample (Gateway)
Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 

Chapters 14 & 15 Internet Databases. E-Commerce  Bringing new products, services, or ideas to market, supporting and enhancing business operations 
Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.

Saml-v2_0-intro-dec051 Security Assertion Markup Language An Introduction to SAML 2.0 Tom Scavo NCSA.
Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.

Kantara: From IRM to Context. The World of Access Keeps Expanding App sourcing and hosting User populations App access channels SasS apps Apps in public.
Unit 5: Building Presentation Layer Applications with ASP.NET 2.0.

Unit 5: Building Presentation Layer Applications with ASP.NET 2.0.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.

Dorian Grid Identity Management and Federation Dialogue Workshop II Edinburgh, Scotland February 9-10, 2006 Stephen Langella Department.
T-110.5140 Network Application Frameworks and XML Service Federation 30.04.2007 Sasu Tarkoma.

T Network Application Frameworks and XML Service Federation Sasu Tarkoma.
Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (http://www.ag-nbi.de)http://www.ag-nbi.de.

Beispielbild Shibboleth, a potential security framework for EDIT Lutz Suhrbier AG Netzbasierte Informationssysteme (
December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.

December 19, 2006 Solving Web Single Sign-on with Standards and Open Source Solutions Trey Drake AssetWorld 2007 Albuquerque, New Mexico November 2007.
May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.

May 22, 2002 Joint Operations Group Discussion Overview Describe the UC Davis Security Architecture Describe Authentication Efforts at UC Davis Current.
Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.
Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.

Chapter 8: Network Operating Systems and Windows Server 2003-Based Networking Network+ Guide to Networks Third Edition.
LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.

LDS Account and the Java Stack. Disclaimer This is a training NOT a presentation. – Be prepared to learn and participate in labs Please ask questions.
Understanding Active Directory

Understanding Active Directory
Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

Similar presentations

Ads by Google