[Zope-PAS] Re: Specific questions to PAS usage

Zachery Bir zbir at urbanape.com
Tue Mar 1 22:17:53 EST 2005 

On 2005-03-01 21:10:13 -0500, Scott Wilson 
<s.wilson at bangor.ac.uk> said:

> This is what Shibboleth and Liberty are designed for... there is 
> mention in the PAS docs of a plugin for Shibboleth, but it appears to 
> be part of the commercial Zope4Edu package rather than the OSS 
> release...

The Shibboleth plugin was intended to be a very general and smart 
plugin, but the more we learned about Shibboleth in the wild, the more 
it became apparent that it was more easily handled as a Scriptable 
Plugin. We never finished the "pure python" plugin and it should be 
excised from the docs. In our particular case, the Shib plugin 
consisted of a credentials extractor/authenticator whose scripts looked 
like this:

extractCredentials_body = """\
## Script (Python) "extractCredentials"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=request
##title=Extract credentials from a request
#

creds = {}
userid = request.get( 'HTTP_SHIB_USER_ID' )
username = request.get( 'HTTP_SHIB_USER_NAME' )
if userid and username:
    creds.update( { 'shib_id':userid
                  , 'shib_name':username
                  , 'from_shibboleth':1
                  }
                )
return creds
"""

authenticateCredentials_body = """\
## Script (Python) "authenticateCredentials"
##bind container=container
##bind context=context
##bind namespace=
##bind script=script
##bind subpath=traverse_subpath
##parameters=creds
##title=Authenticate a set of credentials
#

user_tuple = None
if creds.has_key( 'from_shibboleth' ):
    userid = creds.get( 'shib_id' )
    username = creds.get( 'shib_name' )
    user_tuple = ( userid, username )
return user_tuple
"""


Because each Shibboleth implementation is (or at least can be) unique 
to the site, there was little point in exercising a big mapping UI of 
"What HTTP header are you stuffing into the REQUEST and what do they 
represent?" and "Do you want fries[1] with that?"

Like I said, it prolly ought to be pulled from the docs. The 
implementation was so trivial (and so specific to our deployments) that 
it wasn't worth generalizing.

Zac

[1] Properties, group affiliations, roles, &c

More information about the Zope-PAS mailing list