> we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and
> CookieCrumbler in use.
> One of our next goals is to integrate the
> Single-Sign-On-Ticket feature of
> SAP-Portal.
> SAP sent a cookie called MYSAPSSO2 which contains a certified
> signature and
> the Login-Name of a user.
> Normally the Login-Name will be validated by LDAPUserFolder
> with password
> against LDAP-Directory and the roles of the user will be
> assigned to the
> user object.
> We have now an external web-service which can validate the
> MYSAPSSO2-Ticket
> and return the Login-Name.
> I'm looking now for the best way to integrate/rewrite
> CookieCrumbler/LDAPUserFolder to take the validated
> Login-Name and read the
> roles of the user out of the LDAP-directory.

I would suggest looking at PAS.  You would write an "extraction" plugin for
PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties
and role/group enumeration.  Your PAS plugin then only has the job of
creating a "user id" suitable for use with the LDAP plugin (ie, the same
'id' that LDAPUF is configured to use).  PAS has had a number of recent
changes - you should look at the CVS versions (of PAS and the dataflake
stuff) rather than the released versions if you want to avoid migration work
in the future.


mailing list at:



Zope-Dev maillist  -  Zope-Dev@zope.org
**  No cross posts or HTML encoding!  **
(Related lists - 
 http://mail.zope.org/mailman/listinfo/zope )

Reply via email to