Has anyone any thoughts about how to go about shibboleth enabling a whole host of ZEO instances... without each one having an Apache server sitting in front of it? Or is there an alternative method out there that perhaps is not widely known?
We'd contemplated doing more work with PAS and Shibboleth to actually get Zope to do the equivalent of mod_shibboleth, but it never went anywhere. We stick Zope behind Apache (or some other proxying system - Squid, et al.) as a matter of course, so it was a no-brainer to just use mod_shibboleth in situ.
We've posted the contents (modulo any specific policy) of our Shibboleth implementation for PAS. It amounts to a few Scriptable Plugins to handle the specific HTTP headers that get scribbled on a Shibboleth session. Here's the message:
Zope-Dev maillist - Zope-Dev@zope.org
** No cross posts or HTML encoding! **
(Related lists - http://mail.zope.org/mailman/listinfo/zope-announce