Shane Hathaway schreef:

> * The SSO process should be very similar to an ordinary cookie-based 
> login process.  I don't want the user to have to enter their username on 
> one form and their password on another, but that's the standard OpenID 
> process.
> * This will be implemented in Zope 3.
> We are considering OpenID, Shibboleth, CAS, and any other mature system 
> that others might suggest.  Shibboleth seems like the most obvious fit, 
> but it's nowhere near as popular as OpenID.  I haven't yet looked at CAS 
> in detail.
> Alternatively, I have wondered if we actually need full-blown SSO; 
> perhaps a carefully constructed domain-wide cookie would do the trick. 

In the two cases where I've been involved in SSO, both times there was 
some apache module that could handle the actual SSO-part. The result 
from zope's viewpoint was either a special http header or a special cookie.

Working from that header ("special_user=username_you_want") or cookie 
with similar contents is easy with zope2/plone's PAS and thus also 
zope2's authentication system which is mostly similar. You can look at for some 
copy/paste code.

So: easiest way is to let some trusted apache plugin handle the hard 
part and then laugh all the way to the bank with some 100-line 
authentication plugin.


Reinout van Rees

Zope-Dev maillist  -
**  No cross posts or HTML encoding!  **
(Related lists - )

Reply via email to