Shane Hathaway schreef: > * The SSO process should be very similar to an ordinary cookie-based > login process. I don't want the user to have to enter their username on > one form and their password on another, but that's the standard OpenID > process. > > * This will be implemented in Zope 3. > > We are considering OpenID, Shibboleth, CAS, and any other mature system > that others might suggest. Shibboleth seems like the most obvious fit, > but it's nowhere near as popular as OpenID. I haven't yet looked at CAS > in detail. > > Alternatively, I have wondered if we actually need full-blown SSO; > perhaps a carefully constructed domain-wide cookie would do the trick.
In the two cases where I've been involved in SSO, both times there was some apache module that could handle the actual SSO-part. The result from zope's viewpoint was either a special http header or a special cookie. Working from that header ("special_user=username_you_want") or cookie with similar contents is easy with zope2/plone's PAS and thus also zope2's authentication system which is mostly similar. You can look at http://svn.plone.org/svn/collective/PASPlugins/apachepas/ for some copy/paste code. So: easiest way is to let some trusted apache plugin handle the hard part and then laugh all the way to the bank with some 100-line authentication plugin. Reinout -- Reinout van Rees http://reinout.vanrees.org/ _______________________________________________ Zope-Dev maillist - Zope-Dev@zope.org http://mail.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://mail.zope.org/mailman/listinfo/zope-announce http://mail.zope.org/mailman/listinfo/zope )