Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
documentation:2.1:start [2019/05/16 13:47]
xguimard [Handlers]
documentation:2.1:start [2020/04/23 14:50] (current)
paucur [Well known compatible applications]
Line 93: Line 93:
 | [[authdemo|Demonstration]] |  ✔  |  ✔  |  ✔  | | [[authdemo|Demonstration]] |  ✔  |  ✔  |  ✔  |
 | [[authfacebook|Facebook]] |  ✔  |  ✔  |   | | [[authfacebook|Facebook]] |  ✔  |  ✔  |   |
 +| [[authgithub|GitHub]] |  ✔  |    |    |
 | [[authkerberos|Kerberos]] |  ✔  |    |    | | [[authkerberos|Kerberos]] |  ✔  |    |    |
 | [[authldap|LDAP]] |  ✔  |  ✔  |  ✔  | | [[authldap|LDAP]] |  ✔  |  ✔  |  ✔  |
Line 122: Line 123:
 | [[mail2f|E-mail Second Factor]] |  ✔  | | [[mail2f|E-mail Second Factor]] |  ✔  |
 | [[external2f|External Second Factor]] //(OTP, SMS,...)// |  ✔  | | [[external2f|External Second Factor]] //(OTP, SMS,...)// |  ✔  |
 +| [[radius2f|Radius Second Factor]] |  ✔  |
 | [[rest2f|REST Second Factor]] |  ✔  | | [[rest2f|REST Second Factor]] |  ✔  |
 | [[yubikey2f|Yubikey]] |  ✔  | | [[yubikey2f|Yubikey]] |  ✔  |
 +| [[sfextra|Additional second factors]] |  ✔  |
 ^ Auth addons ^  Authentication ​ ^ ^ Auth addons ^  Authentication ​ ^
 | [[autosignin|Auto Signin]] |  ✔  | | [[autosignin|Auto Signin]] |  ✔  |
Line 148: Line 151:
  
 <​html></​div></​div></​html>​ <​html></​div></​div></​html>​
 +
 +<note tip>
 +* Issuers timeout : Delay for issuers to submit their authentication requests
 +
 +* To avoid a bad/expired token and lose redirection to the SP protected application after authentication if IdP URLs are served by different load balancers, you can force Issuer tokens to be stored into Global Storage by editing ''​lemonldap-ng.ini''​ in section [portal]:
 +
 +<file ini>
 +[portal]
 +forceGlobalStorageIssuerOTT = 1
 +</​file>​
 +</​note>​
  
 === Attacks and Protection === === Attacks and Protection ===
Line 180: Line 194:
 ^  Name  ^  Description ​ ^ ^  Name  ^  Description ​ ^
 | [[autosignin|Auto Signin]] | Auto Signin Addon | | [[autosignin|Auto Signin]] | Auto Signin Addon |
-| [[bruteforceprotection|Brute Force protection]] | User must wait to log in after failed login attempts |+| [[bruteforceprotection|Brute Force protection]] | User must wait to log in after some failed login attempts |
 | [[cda|CDA]] | Cross Domain Authentication | | [[cda|CDA]] | Cross Domain Authentication |
 | [[checkstate|Check state]] | Check state plugin (test page) | | [[checkstate|Check state]] | Check state plugin (test page) |
 | [[checkuser|Check user ]] | Check access rights, transmitted headers and session attibutes for a specific user and URL | | [[checkuser|Check user ]] | Check access rights, transmitted headers and session attibutes for a specific user and URL |
 +| [[contextswitching|Context switching]] | Switch context other users |
 | [[plugincustom|Custom]] | Write a custom plugin | | [[plugincustom|Custom]] | Write a custom plugin |
 +| [[decryptvalue|Decrypt value]] | Decrypt ciphered values |
 | [[loginhistory|Display login history]] | | [[loginhistory|Display login history]] |
 +| [[favapps|Display favorite applications]] | Allow users to mark and display some applications as favorite |
 | [[forceReAuthn|Force Authentication]] | Force authentication to access to Portal | | [[forceReAuthn|Force Authentication]] | Force authentication to access to Portal |
 | [[grantsession|Grant Sessions]] | Rules to apply before allowing a user to open a session | | [[grantsession|Grant Sessions]] | Rules to apply before allowing a user to open a session |
 | [[impersonation|Impersonation ]] | Allow users to use another identity | | [[impersonation|Impersonation ]] | Allow users to use another identity |
 | [[notifications|Notifications system]] | | [[notifications|Notifications system]] |
 +| [[refreshsessionapi|Refresh session API]] | Plugin that provides an API to refresh a user session |
 | [[status|Portal Status]] | Experimental portal status page | | [[status|Portal Status]] | Experimental portal status page |
 | [[public_pages|Public pages]] | Enable public pages system | | [[public_pages|Public pages]] | Enable public pages system |
 | [[resetpassword|Reset password by mail]] | | [[resetpassword|Reset password by mail]] |
 +| [[resetcertificate|Reset certificate by mail]] | Allow users to reset their certificate |
 | [[restservices|REST services]] | REST server for [[authproxy|Proxy]] | | [[restservices|REST services]] | REST server for [[authproxy|Proxy]] |
 | [[soapservices|SOAP services]] //​(deprecated)//​ | SOAP server for [[authproxy|Proxy]] | | [[soapservices|SOAP services]] //​(deprecated)//​ | SOAP server for [[authproxy|Proxy]] |
-| [[stayconnected|Stay connected]] | Enable persistent connection on same browser | +| Stay connected | Enable persistent connection on same browser | 
-| Upgrade session | Plugin that explain ​to user that a more secure ​authentication is needed ​instead of rejected it |+| Upgrade session | This plugin explains ​to an already authenticated ​user that a higher ​authentication ​level is required to access the URL instead of reject him |
  
 <​html></​div></​div></​html>​ <​html></​div></​div></​html>​
Line 209: Line 228:
  
 ^ Handler type ^  Apache ​ ^  LLNG FastCGI/​uWSGI server //(Nginx, or [[ssoaas|SSOaaS]])// ​ ^  [[https://​plackperl.org|Plack* servers]] ​ ^  Node.js //​([[http://​expressjs.com/​|express apps]] or [[SSOaaS]])// ​ ^  [[selfmadeapplication#​perl_auto-protected_cgi|Self protected apps]] ​ ^  Comment ​ ^ ^ Handler type ^  Apache ​ ^  LLNG FastCGI/​uWSGI server //(Nginx, or [[ssoaas|SSOaaS]])// ​ ^  [[https://​plackperl.org|Plack* servers]] ​ ^  Node.js //​([[http://​expressjs.com/​|express apps]] or [[SSOaaS]])// ​ ^  [[selfmadeapplication#​perl_auto-protected_cgi|Self protected apps]] ​ ^  Comment ​ ^
-| Main //(default handler)// |  ✔  |  ✔  |  ✔  |  [[nodehandler|Partial]] ​**(1)**  ​| ​ ✔  |  |+| Main //(default handler)// |  ✔  |  ✔  |  ✔  |  [[nodehandler|Partial]] (([[nodehandler|Node.js handler]] has not yet reached the same level of functionalities))  |  ✔  |  |
 | [[handlerauthbasic|AuthBasic]] |  ✔  |  ✔  |  ✔  |  |  ✔  | Designed for some server-to-server applications | | [[handlerauthbasic|AuthBasic]] |  ✔  |  ✔  |  ✔  |  |  ✔  | Designed for some server-to-server applications |
 | [[cda|CDA]] |  ✔  |  ✔  |  ✔  |  |  ✔  | For Cross Domain Authentication | | [[cda|CDA]] |  ✔  |  ✔  |  ✔  |  |  ✔  | For Cross Domain Authentication |
 | [[devopshandler|DevOps]] //​([[ssoaas|SSOaaS]])//​ |  ✔  |  ✔  |  ✔  |  ✔  |  | Allows application developers to define their own rules and headers inside their applications | | [[devopshandler|DevOps]] //​([[ssoaas|SSOaaS]])//​ |  ✔  |  ✔  |  ✔  |  ✔  |  | Allows application developers to define their own rules and headers inside their applications |
 | [[devopssthandler|DevOpsST]] //​([[ssoaas|SSOaaS]])//​ |  ✔  |  ✔  |  ✔  |  ✔  |  | Enables both [[devopshandler|DevOps]] and [[servertoserver|Service Token]] | | [[devopssthandler|DevOpsST]] //​([[ssoaas|SSOaaS]])//​ |  ✔  |  ✔  |  ✔  |  ✔  |  | Enables both [[devopshandler|DevOps]] and [[servertoserver|Service Token]] |
-| [[oauth2handler|OAuth2]] ​**(2)** ​|  ✔  |  ✔  |  ✔  |  |  ✔  | Uses OpenID Connect/​OAuth2 access token to check authentication and authorization,​ can be used to protect Web Services |+| [[oauth2handler|OAuth2]] |  ✔  |  ✔  |  ✔  |  |  ✔  | Uses OpenID Connect/​OAuth2 access token to check authentication and authorization,​ can be used to protect Web Services |
 | [[securetoken|Secure Token]] |  ✔  |  ✔  |  ✔  |  |  | Designed to secure exchanges between a LLNG reverse-proxy and a remote app | | [[securetoken|Secure Token]] |  ✔  |  ✔  |  ✔  |  |  | Designed to secure exchanges between a LLNG reverse-proxy and a remote app |
 | [[servertoserver|Service Token]] //​(Server-to-Server)//​ |  ✔  |  ✔  |  ✔  |  ✔  |  ✔  | Designed to permit underlying requests //​(API-Based Infrastructure)//​ | | [[servertoserver|Service Token]] //​(Server-to-Server)//​ |  ✔  |  ✔  |  ✔  |  ✔  |  ✔  | Designed to permit underlying requests //​(API-Based Infrastructure)//​ |
 || [[.:​applications:​zimbra|Zimbra PreAuth]] |  ✔  |  ✔  |  ✔  |  |  | || [[.:​applications:​zimbra|Zimbra PreAuth]] |  ✔  |  ✔  |  ✔  |  |  |
- 
-  * //(1): [[nodehandler|Node.js handler]] has not yet reached the same level of functionalities.//​ 
-  * //(2): [[oauth2handler|OAuth2 Handler]] is available with LLNG ≥ 2.0.4// 
  
 <​html></​div></​div></​html>​ <​html></​div></​div></​html>​
Line 271: Line 287:
 <​html></​div></​div></​html>​ <​html></​div></​div></​html>​
  
 +<note tip>
 +You can migrate from one session backend to another using the [[changeSessionBackend|session conversion script]].</​note>​
 ===== Applications protection ===== ===== Applications protection =====
  
Line 283: Line 301:
   * [[formreplay|Form replay]]   * [[formreplay|Form replay]]
   * [[customhandlers|Custom Handlers]]   * [[customhandlers|Custom Handlers]]
 +  * [[webserviceprotection|WebServices / API]]
  
 <​html></​div></​div></​html>​ <​html></​div></​div></​html>​
Line 298: Line 317:
 <​html><​div class="​col-sm-3"></​html>​ <​html><​div class="​col-sm-3"></​html>​
 [[.:​applications:​alfresco|{{ :​applications:​alfresco_logo.png?​nolink |Alfresco}}]] [[.:​applications:​alfresco|{{ :​applications:​alfresco_logo.png?​nolink |Alfresco}}]]
 +<​html></​div></​html>​
 +
 +<​html><​div class="​col-sm-3"></​html>​
 +[[.:​applications:​awx|{{ :​applications:​logo-awx.png?​nolink |AWX}}]]
 <​html></​div></​html>​ <​html></​div></​html>​
  
Line 399: Line 422:
   * [[header_remote_user_conversion|Convert HTTP header into environment variable]]   * [[header_remote_user_conversion|Convert HTTP header into environment variable]]
   * [[renater|Connect to Renater Federation]]   * [[renater|Connect to Renater Federation]]
 +  * [[behindproxyminihowto|Run LemonLDAP::​NG components behind a reverse proxy]]
 +  * [[useoutgoingproxy|Configure LL::NG to use an outgoing proxy]]
  
 <​html></​div></​div></​html>​ <​html></​div></​div></​html>​