[Zope-dev] Single Sign On
Reinout van Rees
reinout at vanrees.org
Wed Feb 18 19:28:53 EST 2009
Shane Hathaway schreef:
> * The SSO process should be very similar to an ordinary cookie-based
> login process. I don't want the user to have to enter their username on
> one form and their password on another, but that's the standard OpenID
> process.
>
> * This will be implemented in Zope 3.
>
> We are considering OpenID, Shibboleth, CAS, and any other mature system
> that others might suggest. Shibboleth seems like the most obvious fit,
> but it's nowhere near as popular as OpenID. I haven't yet looked at CAS
> in detail.
>
> Alternatively, I have wondered if we actually need full-blown SSO;
> perhaps a carefully constructed domain-wide cookie would do the trick.
In the two cases where I've been involved in SSO, both times there was
some apache module that could handle the actual SSO-part. The result
from zope's viewpoint was either a special http header or a special cookie.
Working from that header ("special_user=username_you_want") or cookie
with similar contents is easy with zope2/plone's PAS and thus also
zope2's authentication system which is mostly similar. You can look at
http://svn.plone.org/svn/collective/PASPlugins/apachepas/ for some
copy/paste code.
So: easiest way is to let some trusted apache plugin handle the hard
part and then laugh all the way to the bank with some 100-line
authentication plugin.
Reinout
--
Reinout van Rees
http://reinout.vanrees.org/
More information about the Zope-Dev
mailing list