RE: [Zope-dev] SAP SSO feature for Zope/LDAPUserFolder
> we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and > CookieCrumbler in use. > > One of our next goals is to integrate the > Single-Sign-On-Ticket feature of > SAP-Portal. > > SAP sent a cookie called MYSAPSSO2 which contains a certified > signature and > the Login-Name of a user. > > Normally the Login-Name will be validated by LDAPUserFolder > with password > against LDAP-Directory and the roles of the user will be > assigned to the > user object. > > We have now an external web-service which can validate the > MYSAPSSO2-Ticket > and return the Login-Name. > > I'm looking now for the best way to integrate/rewrite > CookieCrumbler/LDAPUserFolder to take the validated > Login-Name and read the > roles of the user out of the LDAP-directory. I would suggest looking at PAS. You would write an "extraction" plugin for PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties and role/group enumeration. Your PAS plugin then only has the job of creating a "user id" suitable for use with the LDAP plugin (ie, the same 'id' that LDAPUF is configured to use). PAS has had a number of recent changes - you should look at the CVS versions (of PAS and the dataflake stuff) rather than the released versions if you want to avoid migration work in the future. http://www.zope.org/Members/urbanape/PluggableAuthService mailing list at: http://mail.zope.org/mailman/listinfo/zope-pas Mark ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SAP SSO feature for Zope/LDAPUserFolder
Dirk Datzert wrote: Hi, we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use. One of our next goals is to integrate the Single-Sign-On-Ticket feature of SAP-Portal. SAP sent a cookie called MYSAPSSO2 which contains a certified signature and the Login-Name of a user. Normally the Login-Name will be validated by LDAPUserFolder with password against LDAP-Directory and the roles of the user will be assigned to the user object. We have now an external web-service which can validate the MYSAPSSO2-Ticket and return the Login-Name. I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory. Any ideas ? Maybe comments by Jens or Shane ? Regards, Dirk I'm not sure this could work for you... I've tried integrating Zope with an SSO system, which did not provide any authentication other than setting a correct REMOTE_USER in the REQUEST (we did it behind Apache). We succeded by subclassing CookieCrumbler so that it was able to deal with those situations. Also, we were working with Zope in Remote User Mode. I can provide the code, if necessary. Regards Marco ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
Re: [Zope-dev] SAP SSO feature for Zope/LDAPUserFolder
I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory. What *specifically* does not work? Have you tried it and developed a list of features that are missing for it to work? jens ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )
[Zope-dev] SAP SSO feature for Zope/LDAPUserFolder
Hi, we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use. One of our next goals is to integrate the Single-Sign-On-Ticket feature of SAP-Portal. SAP sent a cookie called MYSAPSSO2 which contains a certified signature and the Login-Name of a user. Normally the Login-Name will be validated by LDAPUserFolder with password against LDAP-Directory and the roles of the user will be assigned to the user object. We have now an external web-service which can validate the MYSAPSSO2-Ticket and return the Login-Name. I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory. Any ideas ? Maybe comments by Jens or Shane ? Regards, Dirk -- Geschenkt: 3 Monate GMX ProMail gratis + 3 Ausgaben stern gratis ++ Jetzt anmelden & testen ++ http://www.gmx.net/de/go/promail ++ ___ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )