Identity Management. (Re)discovering authorization APIs and LDAP model binding. Clément OUDOT

Identity Management (Re)discovering authorization APIs and LDAP model binding Clément OUDOT OpenWorldForum - 01/12/2008

Speaker Clément OUDOT Work for LINAGORA Group since 2003 Take part in important LDAP projects (eg: Ministry of Finance LDAP migration) FederID Project leader Involved in many IAM free softwares : - LemonLDAP::NG - InterLDAP - LSC project - charge - OpenLDAP Technical expert for LinID, the LINAGORA IAM and Federation suite Page 2

LINAGORA Group With more than 160 employees, agencies in Paris, Bruxelles, San Francisco, Lyon, Marseille and Toulouse, LINAGORA Group is a French leader in free software and wishes to become one of the most important European company in this part of the IT market. Group LINAGORA defines itself as Service Oriented Editor (an SOE). Its goals : - to develop Free Software with its R&D team ; - to become a trusted bridge between Open Source communities or editors and customers/users ; - to sell them an Open Source Software Assurance ; - and finally, to be an Open Source expert. Page 3

IAM: a question of Identity A digital entity is a set of attributes describing an entity A subset named credentials are used for authentication An entity (a user) can own many identities Each identity has roles and rights within an application (service provider) Page 4

IAM: a question of Identity Services provider manage the identities : - For a service provider : 1 user = 1 identity - For an user : 1 service = 1 identity Page 5

IAM: a question of Identity We need Identity Management! - Referential of identities (LDAP Directory) - Provisioning services - Access control on data (LDAP ACLs) - Access control on applications (SSO rules) We need Identity Federation! - Keep different identities for private life purpose - Federate accounts to benefits from other services Page 6

Why use LDAP? LDAP directories: - Hierachical view - Object data model - Integrated security functions (bind, SASL, TLS) - STANDARD (LDAPv3 in 1998) - Speed, scalability, duplication,... A big offer in Open Source: - OpenLDAP - ApacheDS - OpenDS (SUN) - Fedora Directory Server - Madriva Directory Server Page 7

Federation standards Parallel standards: - Liberty Alliance : ID-FF, ID-WSF, ID-SIS - Shibboleth (Internet2) - WS-* (Microsoft) - SAML (OASIS) - OpenID (the newcomer) Standards convergence: - Shibboleth and Liberty Alliance will share a common standard: SAML 2.0 Page 8

Authorization? Authorization come after authentication Authorization covers : - Access to data - Access to applications But applications have access to data... Page 9

Access to data Scope : - Publish information for employees (white pages/yellow pages) - Edit information (self-service/administration) - Authentication Problem: how describe relations between actors, targets and operations? Each directory product provides its own way of writing Access Control Lists (ACLs) InterLDAP suggest one solution : LDAP Query Language (LQL) Page 10

LDAP Query Language For reading only Doing searches on results of a primary search LQL request can be stored as an LDAP attribute value LQL example : attribute(attribute(sup(search(ou=structs,$namingcontext, $targetrdn),1),manager),cn) Page 11

LDAP Query Language LQL functions: - search/list/read (DN, FILTER) - sup (DN, N): raise the tree from DN for N levels - fsup (BASE, FILTER): return the first parent of BASE selected by FILTER - and/or: union/intersection - group (DNGROUP, DNMEMBER): check if DNMEMBER belongs to DNGROUP - concat: strings concatenation Page 12

LDAP Query Language And some variables: - $namingcontext: suffix of the tree. - $targetdn: DN targeted by the operation. - $targetrdn: RDN targeted by the operation. - $authordn: DN of the author of the operation (as it is bound on the directory). - $authorrdn: RDN of the author of the operation. Page 13

LDAP Query Language LQL used to configure InterLDAP-WUI authorization framework (XML) Example : <property name="name" value="interldapdemousager_r_self"/> <property name="module" value=""/> <property name="relation"><value><![cdata[ list("${ldap.interldapdemo.usagers.ou}", "(&(mail=$principalrdn) (mail=$targetrdn))" ); ]]></value></property> <property name="targetdn" value="${ldap.interldapdemo.usagers.ou}"/> <property name="rights" value="r"/> <property name="attributes"> <list> <value>mail</value> <value>cn</value> </list> </property> Page 14

LinID Content Manager Page 15

Main components Page 16

Screen shot of LinID Content Manager Page 17

Some interesting LDAP controls Proxy-Authz control: - Before this control, need to maintain a connection on the directory per user - Now, we can use pool of connection with rootdn binds + Proxy-Authz No-op control: - Goal: know if a user can write before writing! - Need to test the alternative 'Get effective rights' Page 18

Access to application Legacy applications: authorize by creating/deleting accounts Open Web Applications: authorize by delegating authentication and authorization to a dedicated service : - WebSSO server - Federation Identity Provider LinID Access Manager (LemonLDAP::NG) offers a full WebSSO service, linked to LDAP directory to manage authentication and authorization : - LDAP native authentication - LDAP filters or LDAP groups to manage authorizations - LDAP Password Policy LemonLDAP::NG can delegate its own authentication to Kerberos, SSL, Liberty Alliance... Page 19

How WebSSO works Page 20

LinID Access Manager Page 21

Screen shot a WebSSO Manager Page 22

Federation standards Parallel standards: - Liberty Alliance : ID-FF, ID-WSF, ID-SIS - Shibboleth (Internet2) - WS-* (Microsoft) - SAML (OASIS) - OpenID (the newcomer) Standards convergence: - Shibboleth and Liberty Alliance will share a common standard: SAML 2.0 Page 23

Liberty Alliance Grounded in 2001 by SUN and 13 others partners More than 150 members Goals: - Open Federation Standard - Respect of private life in numeric space 3 frameworks: - ID-FF (Federation Framework) [now SAML 2.0]: SSO, SLO,... - ID-WSF (Web Services Framework): attributes sharing,... - ID-SIS (Service Interface Specifications): services interactions,... Page 24

A simple Liberty Alliance Circle of Trust (CoT) Service Provider Identity Provider User interaction Web service Page 25 Attributes Provider Service Provider

Identity federation workflow Page 26

More than one circle of trust User interaction Web service Page 27

LinID Federation Manager Page 28

Sample architecture (FederID project) Content Management [WUI] Identity Provider Authentic LDAP Directory Attribute Provider [LAAP] Circle of Trust SSO & Authorizations Standard Web application Page 29 Standard Web application Service Provider

Thanks for your attention