dani/lemonldap-ng
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2289b7e2fc
lemonldap-ng/doc/pages/documentation/current/authremote.html
Xavier Guimard 8af300995c Update doc
2018-03-08 13:29:31 +01:00

206 lines
10 KiB
HTML
Raw Blame History

<!DOCTYPE html>
<html lang="en" dir="ltr">
<head>
<meta charset="utf-8" />
<title>documentation:2.0:authremote</title>
<meta name="generator" content="DokuWiki"/>
<meta name="robots" content="index,follow"/>
<meta name="keywords" content="documentation,2.0,authremote"/>
<link rel="search" type="application/opensearchdescription+xml" href="lib/exe/opensearch.html" title="LemonLDAP::NG"/>
<link rel="start" href="authremote.html"/>
<link rel="contents" href="authremote.html" title="Sitemap"/>
<link rel="stylesheet" type="text/css" href="lib/exe/css.php.t.bootstrap3.css"/>
<!-- //if:usedebianlibs
<link rel="stylesheet" type="text/css" href="/javascript/bootstrap/css/bootstrap.min.css" />
//elsif:useexternallibs
<link rel="stylesheet" type="text/css" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.6/css/bootstrap.min.css"></script>
//elsif:cssminified
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.min.css" />
//else -->
<link rel="stylesheet" type="text/css" href="/static/bwr/bootstrap/dist/css/bootstrap.css" />
<!-- //endif -->
<script type="text/javascript">/*<![CDATA[*/var NS='documentation:2.0';var JSINFO = {"id":"documentation:2.0:authremote","namespace":"documentation:2.0"};
/*!]]>*/</script>
<script type="text/javascript" charset="utf-8" src="lib/exe/js.php.t.bootstrap3.js"></script>
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery/jquery.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/jquery-2.2.0.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery/dist/jquery.js"></script>
<!-- //endif -->
<!-- //if:usedebianlibs
<script type="text/javascript" src="/javascript/jquery-ui/jquery-ui.min.js"></script>
//elsif:useexternallibs
<script type="text/javascript" src="http://code.jquery.com/ui/1.10.4/jquery-ui.min.js"></script>
//elsif:jsminified
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.min.js"></script>
//else -->
<script type="text/javascript" src="/static/bwr/jquery-ui/jquery-ui.js"></script>
<!-- //endif -->
</head>
<body>
<div class="dokuwiki export container">
<!-- TOC START -->
<div id="dw__toc">
<h3 class="toggle">Table of Contents</h3>
<div>
<ul class="toc">
<li class="level1"><div class="li"><a href="#presentation">Presentation</a></div></li>
<li class="level1"><div class="li"><a href="#configuration">Configuration</a></div>
<ul class="toc">
<li class="level2"><div class="li"><a href="#main_llng_structure">Main LL::NG structure</a></div></li>
<li class="level2"><div class="li"><a href="#secondary_llng_structure">Secondary LL::NG structure</a></div></li>
<li class="level2"><div class="li"><a href="#exampleinteroperability_between_2_organizations">Example: interoperability between 2 organizations</a></div></li>
</ul></li>
</ul>
</div>
</div>
<!-- TOC END -->
<h1 class="sectionedit1" id="remote">Remote</h1>
<div class="level1">
<div class="table sectionedit2"><table class="inline table table-bordered table-striped">
<thead>
<tr class="row0 roweven">
<th class="col0 centeralign"> Authentication </th><th class="col1 centeralign"> Users </th><th class="col2 centeralign"> Password </th>
</tr>
</thead>
<tr class="row1 rowodd">
<td class="col0 centeralign"></td><td class="col1 centeralign"></td><td class="col2"> </td>
</tr>
</table></div>
<!-- EDIT2 TABLE [23-86] --><div class="notewarning">This module is a <abbr title="LemonLDAP::NG">LL::NG</abbr> specific identity federation protocol. You may rather use standards protocols like <a href="idpsaml.html" class="wikilink1" title="documentation:2.0:idpsaml">SAML</a>, <a href="idpopenidconnect.html" class="wikilink1" title="documentation:2.0:idpopenidconnect">OpenID Connect</a> or <a href="idpcas.html" class="wikilink1" title="documentation:2.0:idpcas">CAS</a>.
</div>
</div>
<!-- EDIT1 SECTION "Remote" [1-289] -->
<h2 class="sectionedit3" id="presentation">Presentation</h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> The main portal is configured to use <abbr title="Cross Domain Authentication">CDA</abbr>. The secondary portal is declared in the Manager of the main <abbr title="LemonLDAP::NG">LL::NG</abbr> structure (else user will be rejected).</div>
</li>
<li class="level1"><div class="li"> The portal of the secondary <abbr title="LemonLDAP::NG">LL::NG</abbr> structure is configured to delegate authentication to a remote portal. A request to the main session database is done (trough <a href="soapsessionbackend.html" class="wikilink1" title="documentation:2.0:soapsessionbackend">SOAP session backend</a>) to be sure that the session exists.</div>
</li>
<li class="level1"><div class="li"> If <code>exportedAttr</code> is set, only those attributes are copied in the session database of the secondary <abbr title="LemonLDAP::NG">LL::NG</abbr> structure. Else, all data are copied in the session database.</div>
</li>
</ul>
<p>
<a href="documentation/remote-principle.png_documentation_2.0_authremote.html" class="media" title="documentation:remote-principle.png"><img src="documentation/remote-principle.png" class="mediacenter" alt="" /></a>
</p>
<ol>
<li class="level1"><div class="li"> User tries to access to an application in the secondary <abbr title="LemonLDAP::NG">LL::NG</abbr> structure without having a session in this area</div>
</li>
<li class="level1"><div class="li"> Redirection to the portal of the secondary area (transparent)</div>
</li>
<li class="level1"><div class="li"> Redirection to the portal of the main area and normal authentication (if not done before)</div>
</li>
<li class="level1"><div class="li"> Redirection to the portal of the secondary area (transparent)</div>
</li>
<li class="level1"><div class="li"> Secondary portal check if remote session is available. It can be done via direct access to the session database or using SOAP access. Then it creates the session (with attribute filter)</div>
</li>
<li class="level1"><div class="li"> User can now access to the protected application</div>
</li>
</ol>
<div class="noteclassic">Note that if the user is already authenticated on the first portal, all redirections are transparent.
</div>
</div>
<!-- EDIT3 SECTION "Presentation" [290-1635] -->
<h2 class="sectionedit4" id="configuration">Configuration</h2>
<div class="level2">
</div>
<!-- EDIT4 SECTION "Configuration" [1636-1662] -->
<h3 class="sectionedit5" id="main_llng_structure">Main LL::NG structure</h3>
<div class="level3">
<p>
Go in Manager, and:
</p>
<ul>
<li class="level1"><div class="li"> activate <abbr title="Cross Domain Authentication">CDA</abbr> in <code>General Parameters</code> » <code>Cookies</code> » <code>Multiple domains</code></div>
</li>
<li class="level1"><div class="li"> declare secondary portal in <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Trusted domains</code></div>
</li>
</ul>
</div>
<!-- EDIT5 SECTION "Main LL::NG structure" [1663-1919] -->
<h3 class="sectionedit6" id="secondary_llng_structure">Secondary LL::NG structure</h3>
<div class="level3">
<p>
Configure the portal to use the remote <abbr title="LemonLDAP::NG">LL::NG</abbr> structure.
</p>
<p>
In Manager, go in <code>General Parameters</code> » <code>Authentication modules</code> and choose Remote for authentication and users.
</p>
<p>
Then, go in <code>Remote parameters</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Portal <abbr title="Uniform Resource Locator">URL</abbr></strong>: remote portal <abbr title="Uniform Resource Locator">URL</abbr></div>
</li>
<li class="level1"><div class="li"> <strong>Cookie name</strong> (optional): name of the cookie of primary portal, if different from secondary portal</div>
</li>
<li class="level1"><div class="li"> <strong>Sessions module</strong>: set <code>Lemonldap::NG::Common::Apache::Session::SOAP</code> for <a href="soapsessionbackend.html" class="wikilink1" title="documentation:2.0:soapsessionbackend">SOAP session backend</a>.</div>
</li>
<li class="level1"><div class="li"> <strong>Sessions module options</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>proxy</strong>: SOAP sessions end point (see <a href="soapsessionbackend.html" class="wikilink1" title="documentation:2.0:soapsessionbackend">SOAP session backend</a> documentation)</div>
</li>
</ul>
</li>
</ul>
</div>
<!-- EDIT6 SECTION "Secondary LL::NG structure" [1920-2580] -->
<h3 class="sectionedit7" id="exampleinteroperability_between_2_organizations">Example: interoperability between 2 organizations</h3>
<div class="level3">
<p>
Using this, we can do a very simple interoperability system between 2 organizations using two <abbr title="LemonLDAP::NG">LL::NG</abbr> structures:
</p>
<ul>
<li class="level1"><div class="li"> each area has 2 portals:</div>
<ul>
<li class="level2"><div class="li"> One standard portal</div>
</li>
<li class="level2"><div class="li"> One remote portal that delegates authentication to the second organization (just another file on the same server)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> The normal portal has a link included in the authentication form pointing to the remote portal for the users of the other organization</div>
</li>
</ul>
<p>
So on each main portal, internal users can access normally, and users issued from the other organization have just to click on the link:
</p>
<p>
<a href="documentation/remote-interoperability.png_documentation_2.0_authremote.html" class="media" title="documentation:remote-interoperability.png"><img src="documentation/remote-interoperability.png" class="mediacenter" alt="" /></a>
</p>
<ol>
<li class="level1"><div class="li"> One user tries to access to the portal</div>
</li>
<li class="level1"><div class="li"> External user clicks to be redirected to the remote type portal</div>
</li>
<li class="level1"><div class="li"> After redirection, normal authentication in the remote portal</div>
</li>
<li class="level1"><div class="li"> Redirection to the remote type portal</div>
</li>
<li class="level1"><div class="li"> Validation of the session: external user has now a local session</div>
</li>
</ol>
</div>
<!-- EDIT7 SECTION "Example: interoperability between 2 organizations" [2581-] --></div>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink