<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="fr" xml:lang="fr">
<head>
<meta name="generator" content=
"HTML Tidy for Linux/x86 (vers 7 December 2008), see www.w3.org" />
<title>Lemonldap::NG documentation:
4.5-Remote-authentication-backend.html</title>
<meta http-equiv="Content-Type" content="text/html; charset=us-ascii" />
<style type="text/css">
/*<![CDATA[*/
body{
background: #ddd;
font-family: sans-serif;
font-size: 11pt;
padding: 0 50px;
}
div.main-content{
padding: 10px;
background: #fff;
border: 2px #ccc solid;
}
a{
text-decoration: none;
}
p.footer{
text-align: center;
margin: 5px 0 0 0;
}
.heading-1{
text-align: center;
color: orange;
font-variant: small-caps;
font-size: 20pt;
}
.heading-1-1{
color: orange;
font-size: 14pt;
border-bottom: 2px #ccc solid;
}
pre{
background: #eee;
border: 2px #ccc solid;
padding: 5px;
border-left: 10px #ccc solid;
}
ul.star li{
list-style-type: square;
}
/*]]>*/
</style>
</head>
<body>
<div class="main-content">
<h2 class="heading-1"><span id="HChainingLemonpdap3A3ANGportals">Chaining
Lemonpdap::NG portals</span></h2>
<p class="paragraph"></p>Since version 0.9.4, Lemonldap::NG is able to
delegate authentication to a remote portal. This can be use to share
authentication without sharing session database to some handlers.
<p class="paragraph"></p>
<ul>
<li>
<a href="#HPrinciple">Principle</a>
<ul>
<li><a href="#Hkinematic">kinematic</a></li>
</ul>
</li>
<li>
<a href="#HConfiguration">Configuration</a>
<ul>
<li><a href="#HMainLemonldap3A3ANGstructure">Main Lemonldap::NG
structure</a></li>
<li><a href="#HSecondaryLemonldap3A3ANGstructure">Secondary
Lemonldap::NG structure</a></li>
</ul>
</li>
<li><a href="#HExample3Ainteroperabilitybetween2organizations">Example :
interoperability between 2 organizations</a></li>
</ul>
<h3 class="heading-1-1"><span id="HPrinciple">Principle</span></h3>
<ul class="star">
<li>The main portal is configured to use CDA (cross-domain
authentication: set just "CDA => 1" in the portal). The secondary
portal is declared in the manager of the main Lemonldap::NG structure
(else user will be rejected).</li>
<li>The portal of the secondary Lemonldap::NG structure is configured to
delegate authentication to a remote portal. A request to the main
session database is done to be sure that the session exists :</li>
<li>If "exportedAttr" is set, only those attributes are copied in the
session database of the secondary Lemonldap::NG structure. Else, all
datas are copied in the session database.</li>
</ul>
<h4 class="heading-1-1-1"><span id="Hkinematic">kinematic</span></h4>
<p class="paragraph"></p><img src="remote-principle.png" alt=
"remote-principle.png" />
<ol>
<li>User tries to access to an application in the secondary
Lemonldap::NG structure without having a session in this area</li>
<li>Redirection to the portal of the secondary area (transparent)</li>
<li>Redirection to the portal of the main area and normal authentication
(if not done before)</li>
<li>Redirection to the portal of the secondary area (transparent)</li>
<li>Secondary portal check if remote session is available. It can be
done via direct access to the session database or using <span class=
"wikilink"><a href="4.4-SOAP-session-backend.html">SOAP
access</a></span>. Then it creates the session (with attribute
filter)</li>
<li>User can now access to the protected application</li>
</ol>Note that if the user is already authenticated on the first portal,
all redirections are transparents.
<h3 class="heading-1-1"><span id=
"HConfiguration">Configuration</span></h3>
<h4 class="heading-1-1-1"><span id="HMainLemonldap3A3ANGstructure">Main
Lemonldap::NG structure</span></h4>
<ul class="star">
<li>Portal : set "CDA => 1",</li>
<li>Manager : declare the secondary portal in protected sites.</li>
</ul>
<h4 class="heading-1-1-1"><span id=
"HSecondaryLemonldap3A3ANGstructure">Secondary Lemonldap::NG
structure</span></h4>
<p class="paragraph"></p>Configure the portal to use the remote
Lemonldap::NG structure. Example
<div class="code">
<pre>
my $p = Lemonldap::NG::Portal-><span class="java-keyword">new</span>( {
authentication => 'Remote',
userDB => 'Remote',
remotePortal => 'https://remote/',
remoteGlobalStorage => 'Lemonldap::NG::Common::Apache::Session::SOAP',
remoteGlobalStorageOptions => {
proxy => 'https://remote/index.pl/sessions',
ns => 'https://remote/Lemonldap/NG/Common/CGI/SOAPService',
},
# Optional: restrict exported attributes in the secondary area
exportedAttr => 'uid cn mail',
... as usual ...
});
</pre>
</div>
<h3 class="heading-1-1"><span id=
"HExample3Ainteroperabilitybetween2organizations">Example :
interoperability between 2 organizations</span></h3>
<p class="paragraph"></p>Using this, we can do a very simple
interoperability system between 2 organizations using both Lemonldap::NG :
<ul class="star">
<li>each area has 2 portals :
<ul class="star">
<li>1 normal</li>
<li>1 type Remote that delegates authentication to the second
organization (just an other file on the same server)</li>
</ul>
</li>
<li>The normal portal has a link included in the authentication form
pointing to the remote portal for the users of the other
organization</li>
</ul>So on each main portal, internal users can access normaly, and users
issued from the other organization have just to click on the link :
<p class="paragraph"></p><img src="remote-interoperability.png" alt=
"remote-interoperability.png" />
<ol>
<li>1 user try to access to the portal</li>
<li>external users click to be redirected to the remote type portal</li>
<li>after redirection, normal authentication in the remote portal</li>
<li>redirection to the remote type portal</li>
<li>validation of the session : external user have now a local
session</li>
</ol>
</div>
<p class="footer"><a href="index.html">Index</a></p>
</body>
</html>
