> we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and > CookieCrumbler in use. > > One of our next goals is to integrate the > Single-Sign-On-Ticket feature of > SAP-Portal. > > SAP sent a cookie called MYSAPSSO2 which contains a certified > signature and > the Login-Name of a user. > > Normally the Login-Name will be validated by LDAPUserFolder > with password > against LDAP-Directory and the roles of the user will be > assigned to the > user object. > > We have now an external web-service which can validate the > MYSAPSSO2-Ticket > and return the Login-Name. > > I'm looking now for the best way to integrate/rewrite > CookieCrumbler/LDAPUserFolder to take the validated > Login-Name and read the > roles of the user out of the LDAP-directory.
I would suggest looking at PAS. You would write an "extraction" plugin for PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties and role/group enumeration. Your PAS plugin then only has the job of creating a "user id" suitable for use with the LDAP plugin (ie, the same 'id' that LDAPUF is configured to use). PAS has had a number of recent changes - you should look at the CVS versions (of PAS and the dataflake stuff) rather than the released versions if you want to avoid migration work in the future. http://www.zope.org/Members/urbanape/PluggableAuthService mailing list at: http://mail.zope.org/mailman/listinfo/zope-pas Mark _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )