1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
|
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en"
lang="en" dir="ltr">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title></title>
<!-- metadata -->
<meta name="generator" content="Offline" />
<meta name="version" content="Offline 0.1" />
<!-- style sheet links -->
<link rel="stylesheet" media="all" type="text/css" href="../../../css/all.css" />
<link rel="stylesheet" media="screen" type="text/css" href="../../../css/screen.css" />
<link rel="stylesheet" media="print" type="text/css" href="../../../css/print.css" />
</head>
<body>
<div class="dokuwiki export">
<h1><a name="remote" id="remote">Remote</a></h1>
<div class="level1">
<table class="inline">
<tr class="row0 roweven">
<th class="col0">Authentication </th><th class="col1"> Users </th><th class="col2"> Password </th>
</tr>
<tr class="row1 rowodd">
<td class="col0 centeralign"> ✔ </td><td class="col1 centeralign"> ✔ </td><td class="col2"> </td>
</tr>
</table>
<p>
<p><div class="notetip">This module is a <acronym title="LemonLDAP::NG">LL::NG</acronym> specific identity federation protocol. You may rather use standards protocols like <a href="../../documentation/1.3/idpsaml.html" class="wikilink1" title="documentation:1.3:idpsaml">SAML</a>, <a href="../../documentation/1.3/idpopenid.html" class="wikilink1" title="documentation:1.3:idpopenid">OpenID</a> or <a href="../../documentation/1.3/idpcas.html" class="wikilink1" title="documentation:1.3:idpcas">CAS</a>.
</div></p>
</p>
</div>
<!-- SECTION "Remote" [1-263] -->
<h2><a name="presentation" id="presentation">Presentation</a></h2>
<div class="level2">
<ul>
<li class="level1"><div class="li"> The main portal is configured to use <acronym title="Cross Domain Authentication">CDA</acronym>. The secondary portal is declared in the Manager of the main <acronym title="LemonLDAP::NG">LL::NG</acronym> structure (else user will be rejected).</div>
</li>
<li class="level1"><div class="li"> The portal of the secondary <acronym title="LemonLDAP::NG">LL::NG</acronym> structure is configured to delegate authentication to a remote portal. A request to the main session database is done (trough <a href="../../documentation/1.3/soapsessionbackend.html" class="wikilink1" title="documentation:1.3:soapsessionbackend">SOAP session backend</a>) to be sure that the session exists.</div>
</li>
<li class="level1"><div class="li"> If <code>exportedAttr</code> is set, only those attributes are copied in the session database of the secondary <acronym title="LemonLDAP::NG">LL::NG</acronym> structure. Else, all data are copied in the session database.</div>
</li>
</ul>
<p>
<a href="/_detail/documentation/remote-principle.png?id=documentation%3A1.3%3Aauthremote" class="media" title="documentation:remote-principle.png"><img src="../../../media/documentation/remote-principle.png" class="mediacenter" alt="" /></a>
</p>
<ol>
<li class="level1"><div class="li"> User tries to access to an application in the secondary <acronym title="LemonLDAP::NG">LL::NG</acronym> structure without having a session in this area</div>
</li>
<li class="level1"><div class="li"> Redirection to the portal of the secondary area (transparent)</div>
</li>
<li class="level1"><div class="li"> Redirection to the portal of the main area and normal authentication (if not done before)</div>
</li>
<li class="level1"><div class="li"> Redirection to the portal of the secondary area (transparent)</div>
</li>
<li class="level1"><div class="li"> Secondary portal check if remote session is available. It can be done via direct access to the session database or using <acronym title="Simple Object Access Protocol">SOAP</acronym> access. Then it creates the session (with attribute filter)</div>
</li>
<li class="level1"><div class="li"> User can now access to the protected application</div>
</li>
</ol>
<p>
<p><div class="noteclassic">Note that if the user is already authenticated on the first portal, all redirections are transparent.
</div></p>
</p>
</div>
<!-- SECTION "Presentation" [264-1609] -->
<h2><a name="configuration" id="configuration">Configuration</a></h2>
<div class="level2">
</div>
<!-- SECTION "Configuration" [1610-1636] -->
<h3><a name="main_llng_structure" id="main_llng_structure">Main LL::NG structure</a></h3>
<div class="level3">
<p>
Go in Manager, and:
</p>
<ul>
<li class="level1"><div class="li"> activate <acronym title="Cross Domain Authentication">CDA</acronym> in <code>General Parameters</code> » <code>Cookies</code> » <code>Multiple domains</code></div>
</li>
<li class="level1"><div class="li"> declare secondary portal in <code>General Parameters</code> » <code>Advanced Parameters</code> » <code>Security</code> » <code>Trusted domains</code></div>
</li>
</ul>
</div>
<!-- SECTION "Main LL::NG structure" [1637-1893] -->
<h3><a name="secondary_llng_structure" id="secondary_llng_structure">Secondary LL::NG structure</a></h3>
<div class="level3">
<p>
Configure the portal to use the remote <acronym title="LemonLDAP::NG">LL::NG</acronym> structure.
</p>
<p>
In Manager, go in <code>General Parameters</code> » <code>Authentication modules</code> and choose Remote for authentication and users.
</p>
<p>
Then, go in <code>Remote parameters</code>:
</p>
<ul>
<li class="level1"><div class="li"> <strong>Portal <acronym title="Uniform Resource Locator">URL</acronym></strong>: remote portal <acronym title="Uniform Resource Locator">URL</acronym></div>
</li>
<li class="level1"><div class="li"> <strong>Cookie name</strong> (optional): name of the cookie of primary portal, if different from secondary portal</div>
</li>
<li class="level1"><div class="li"> <strong>Sessions module</strong>: set <code>Lemonldap::NG::Common::Apache::Session::<acronym title="Simple Object Access Protocol">SOAP</acronym></code> for <a href="../../documentation/1.3/soapsessionbackend.html" class="wikilink1" title="documentation:1.3:soapsessionbackend">SOAP session backend</a>.</div>
</li>
<li class="level1"><div class="li"> <strong>Sessions module options</strong>:</div>
<ul>
<li class="level2"><div class="li"> <strong>proxy</strong>: <acronym title="Simple Object Access Protocol">SOAP</acronym> sessions end point (see <a href="../../documentation/1.3/soapsessionbackend.html" class="wikilink1" title="documentation:1.3:soapsessionbackend">SOAP session backend</a> documentation)</div>
</li>
</ul>
</li>
</ul>
</div>
<!-- SECTION "Secondary LL::NG structure" [1894-2554] -->
<h3><a name="exampleinteroperability_between_2_organizations" id="exampleinteroperability_between_2_organizations">Example: interoperability between 2 organizations</a></h3>
<div class="level3">
<p>
Using this, we can do a very simple interoperability system between 2 organizations using two <acronym title="LemonLDAP::NG">LL::NG</acronym> structures:
</p>
<ul>
<li class="level1"><div class="li"> each area has 2 portals:</div>
<ul>
<li class="level2"><div class="li"> One standard portal</div>
</li>
<li class="level2"><div class="li"> One remote portal that delegates authentication to the second organization (just an other file on the same server)</div>
</li>
</ul>
</li>
<li class="level1"><div class="li"> The normal portal has a link included in the authentication form pointing to the remote portal for the users of the other organization</div>
</li>
</ul>
<p>
So on each main portal, internal users can access normally, and users issued from the other organization have just to click on the link:
</p>
<p>
<a href="/_detail/documentation/remote-interoperability.png?id=documentation%3A1.3%3Aauthremote" class="media" title="documentation:remote-interoperability.png"><img src="../../../media/documentation/remote-interoperability.png" class="mediacenter" alt="" /></a>
</p>
<ol>
<li class="level1"><div class="li"> One user tries to access to the portal</div>
</li>
<li class="level1"><div class="li"> External user clicks to be redirected to the remote type portal</div>
</li>
<li class="level1"><div class="li"> After redirection, normal authentication in the remote portal</div>
</li>
<li class="level1"><div class="li"> Redirection to the remote type portal</div>
</li>
<li class="level1"><div class="li"> Validation of the session: external user has now a local session</div>
</li>
</ol>
</div>
<!-- SECTION "Example: interoperability between 2 organizations" [2555-] --></div><!-- closes <div class="dokuwiki export">-->
|
