<?xml version="1.0" encoding="utf-8"?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr"> <head> <meta name="generator" content= "HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" /> <title>Lemonldap::NG documentation: 4.5-Remote-authentication-backend.html</title> <meta http-equiv="Content-Type" content="text/html; charset=us-ascii" /> <style type="text/css"> /*<![CDATA[*/ body{ background: #ddd; font-family: sans-serif; font-size: 11pt; padding: 0 50px; } div.main-content{ padding: 10px; background: #fff; border: 2px #ccc solid; } a{ text-decoration: none; } p.footer{ text-align: center; margin: 5px 0 0 0; } .heading-1{ text-align: center; color: orange; font-variant: small-caps; font-size: 20pt; } .heading-1-1{ color: orange; font-size: 14pt; border-bottom: 2px #ccc solid; } pre{ background: #eee; border: 2px #ccc solid; padding: 5px; border-left: 10px #ccc solid; } ul.star li{ list-style-type: square; } /*]]>*/ </style> </head> <body> <div class="main-content"> <h2 class="heading-1"><span id="HChainingLemonpdap3A3ANGportals">Chaining Lemonpdap::NG portals</span></h2> <p class="paragraph"></p>Since version 0.9.4, Lemonldap::NG is able to delegate authentication to a remote portal. This can be use to share authentication without sharing session database to some handlers. <p class="paragraph"></p> <ul> <li> <a href="#HPrinciple">Principle</a> <ul> <li><a href="#Hkinematic">kinematic</a></li> </ul> </li> <li> <a href="#HConfiguration">Configuration</a> <ul> <li><a href="#HMainLemonldap3A3ANGstructure">Main Lemonldap::NG structure</a></li> <li><a href="#HSecondaryLemonldap3A3ANGstructure">Secondary Lemonldap::NG structure</a></li> </ul> </li> <li><a href="#HExample3Ainteroperabilitybetween2organizations">Example : interoperability between 2 organizations</a></li> </ul> <h3 class="heading-1-1"><span id="HPrinciple">Principle</span></h3> <ul class="star"> <li>The main portal is configured to use CDA (cross-domain authentication: set just "CDA => 1" in the portal). The secondary portal is declared in the manager of the main Lemonldap::NG structure (else user will be rejected).</li> <li>The portal of the secondary Lemonldap::NG structure is configured to delegate authentication to a remote portal. A request to the main session database is done to be sure that the session exists :</li> <li>If "exportedAttr" is set, only those attributes are copied in the session database of the secondary Lemonldap::NG structure. Else, all datas are copied in the session database.</li> </ul> <h4 class="heading-1-1-1"><span id="Hkinematic">kinematic</span></h4> <p class="paragraph"></p><img src="remote-principle.png" alt= "remote-principle.png" /> <ol> <li>User tries to access to an application in the secondary Lemonldap::NG structure without having a session in this area</li> <li>Redirection to the portal of the secondary area (transparent)</li> <li>Redirection to the portal of the main area and normal authentication (if not done before)</li> <li>Redirection to the portal of the secondary area (transparent)</li> <li>Secondary portal check if remote session is available. It can be done via direct access to the session database or using <span class= "wikilink"><a href="4.4-SOAP-session-backend.html">SOAP access</a></span>. Then it creates the session (with attribute filter)</li> <li>User can now access to the protected application</li> </ol>Note that if the user is already authenticated on the first portal, all redirections are transparents. <h3 class="heading-1-1"><span id= "HConfiguration">Configuration</span></h3> <h4 class="heading-1-1-1"><span id="HMainLemonldap3A3ANGstructure">Main Lemonldap::NG structure</span></h4> <ul class="star"> <li>Portal : set "CDA => 1",</li> <li>Manager : declare the secondary portal in protected sites.</li> </ul> <h4 class="heading-1-1-1"><span id= "HSecondaryLemonldap3A3ANGstructure">Secondary Lemonldap::NG structure</span></h4> <p class="paragraph"></p>Configure the portal to use the remote Lemonldap::NG structure. Example <div class="code"> <pre> my $p = Lemonldap::NG::Portal-><span class="java-keyword">new</span>( { authentication => 'Remote', userDB => 'Remote', remotePortal => 'https://remote/', remoteGlobalStorage => 'Lemonldap::NG::Common::Apache::Session::SOAP', remoteGlobalStorageOptions => { proxy => 'https://remote/index.pl/sessions', ns => 'https://remote/Lemonldap/NG/Common/CGI/SOAPService', }, # Optional: restrict exported attributes in the secondary area exportedAttr => 'uid cn mail', ... as usual ... }); </pre> </div> <h3 class="heading-1-1"><span id= "HExample3Ainteroperabilitybetween2organizations">Example : interoperability between 2 organizations</span></h3> <p class="paragraph"></p>Using this, we can do a very simple interoperability system between 2 organizations using both Lemonldap::NG : <ul class="star"> <li>each area has 2 portals : <ul class="star"> <li>1 normal</li> <li>1 type Remote that delegates authentication to the second organization (just an other file on the same server)</li> </ul> </li> <li>The normal portal has a link included in the authentication form pointing to the remote portal for the users of the other organization</li> </ul>So on each main portal, internal users can access normaly, and users issued from the other organization have just to click on the link : <p class="paragraph"></p><img src="remote-interoperability.png" alt= "remote-interoperability.png" /> <ol> <li>1 user try to access to the portal</li> <li>external users click to be redirected to the remote type portal</li> <li>after redirection, normal authentication in the remote portal</li> <li>redirection to the remote type portal</li> <li>validation of the session : external user have now a local session</li> </ol> </div> <p class="footer"><a href="index.html">Index</a></p> </body> </html>