LemonLDAP::NG

LemonLDAP::NG is a modular, open-source WebSSO gateway and identity provider (IdP) written in Perl. It integrates with Apache, Nginx, or any PSGI server to handle authentication, enforce access policies, and inject user identity data into protected applications via HTTP headers. The platform supports direct app protection as well as federation protocol bridging (e.g., SAML ↔ OIDC).

Key Capabilities

• Standards-based federation (both roles): Functions as both an OpenID Connect Provider (Authorization Code, Implicit, Hybrid) and an OIDC Relying Party. Also supports SAML 2.0 IdP/SP and CAS server/client modes for full interoperability.

• Header-based and Web gateway SSO: Provides WebSSO through HTTP header injection, enabling attribute forwarding behind reverse proxies and protecting virtual hosts directly.

• Built-in MFA support: Includes WebAuthn 2FA, TOTP, and a combined U2F-or-TOTP authentication flow, with migration guidance from deprecated U2F to WebAuthn.

• Flexible authentication backends: Integrates with LDAP/Active Directory, Kerberos, HTTP auth, and external IdPs via SAML, OIDC, or CAS—all managed through its Portal component.

• Administrative and operational tooling: Offers CLI utilities, well-documented deployment for major Linux distributions, and an active documentation site for version 2.x.

Limitations

• Provisioning and SCIM support: No official SCIM 2.0 server or provisioning API is documented.

• Advanced OAuth profiles: Current documentation covers core OIDC and OAuth 2.0 flows; there is no confirmation of support for PAR, DPoP, or mTLS-bound tokens.

• Operational complexity: As a self-hosted solution, administrators are responsible for managing the web tier, portal and handlers, storage, and high availability (HA) configurations.

• U2F deprecation: Browser support for U2F has been deprecated; the project recommends transitioning all deployments to WebAuthn for ongoing compatibility.