[Product-Developers] Re: Single sign on across heterogenuous systems

Rob Miller ra at burningman.com
Tue Jul 1 00:16:50 UTC 2008

Martin Aspeli wrote:
> Hi all,
> I have a Plone site that will maintain a member database and content. 
> One part of the site will go off to a "white labelled" (i.e. same style 
> sheet and template) shop system hosted by a third party, on completely 
> separate infrastructure. The shop will live on shop.domain.com and the 
> Plone site on domain.com.
> I would like to support single sign-on and shared member data across 
> these two sites. In particular, users should only sign onto the Plone 
> site. When they enter the shop, they should appear logged in there if 
> they were logged into the Plone site (if they're not, there'll be a "log 
> in" link that goes back to the Plone site). Member data should only be 
> held in one place, the Plone site.
> The shop site thus needs some way to:
>  - Find out if the current user is logged into the Plone site
>  - Retrieve member data for the current user
> I'm wondering what the best approach for this might look like. The best 
> approach I can think of, is to always pass a unique, time-limited ID 
> from Plone site to shop when users click any link in the Plone site that 
> goes to the shop. This ID would be mapped to a Plone session. The site 
> then does a server-side call-back over HTTP to the Plone site, asking if 
> the user with the given ID has a valid session, and if so receiving 
> member data in the response.
> This may work, but it's a bit clunky. It won't work if users have 
> bookmarks to the shop or hit it via some other URL. And it may make 
> session theft easier.
> What better approaches are there? Do we have any tools for this? Could a 
> solution potentially be generalised (in which case I'd like to do so an 
> open source it).

you don't state how much influence you have over the 'shop' application, but 
you mention having the site make an HTTP call to Plone so i'm going to assume 
that it's possible to do some custom coding on that side.

in the OpenPlans stack, which actually consists of several HTTP services all 
acting as a single 'site', we accomplish something like this by having all of 
our apps honor Plone's authentication cookie.  we have a custom PAS cookie 
auth plug-in which creates an auth cookie as a hash of the username and a 
secret key.  all of the apps have a copy of the secret, so they can verify 
that the cookie is to be trusted.  since your apps are going to be on the same 
domain, you can use a domain wildcard cookie and the remote hosted application 
will get it.

if you want session timeouts, you could integrate a time component into the 
hash key generation, something that each side knows to change every 2 hours or 
so.  you can do whatever you want, as long as both apps have all the 
information needed to generate the hash key.

of course, you still have the matter of getting the shop app to redirect to 
the Plone login page when it needs to present a challenge.

as for sharing more detailed member info, HTTP calls back to Plone is probably 
the way to go.  or else use a custom PAS properties plug-in and store the info 
somewhere else, where the other app might have more direct access.


More information about the Product-Developers mailing list