[Product-Developers] Single sign on across heterogenuous systems

Laurence Rowe l at lrowe.co.uk
Tue Jul 1 10:22:24 UTC 2008

My personal favourite for this is mod_auth_tkt
(http://www.openfusion.com.au/labs/mod_auth_tkt/), as it seems to me the
simplest of the single sign on systems. It is a simple shared secret system
with signed cookies.

It installs as an apache module (simple ./configure
--with-apxs=/usr/bin/apxs2; make; make install on ubuntu). Works as a dropin
substitute for basic authentication, so if the other application is running
in apache there is nothing to change. If proxying the X-Authenticated-User
header is set. It's possible to set the cookie domain to .domain.com to
support shop.domain.com and www.domain.com

I've got a branch of plone.session here that implements the protocol (no
apache required, but compatible - I'm using it to log users in apache logs)

There is space in the cookie for user data, so you could easily put full
name in here, or more if you want to extract it with regular expressions to
an apache env variable. If you need more than this then I suggest just
looking up the metadata in another system (ldap or sql).

OpenID isn't really for this use case (a single system).

Because the non plone site can verify the cookie is valid, no callback needs
to be made to the plone site. I don't know of any standards for doing HTTP
callbacks for user metadata, LDAP is the standard for this sort of data


Martin Aspeli wrote:
> Hi all,
> I have a Plone site that will maintain a member database and content. 
> One part of the site will go off to a "white labelled" (i.e. same style 
> sheet and template) shop system hosted by a third party, on completely 
> separate infrastructure. The shop will live on shop.domain.com and the 
> Plone site on domain.com.
> I would like to support single sign-on and shared member data across 
> these two sites. In particular, users should only sign onto the Plone 
> site. When they enter the shop, they should appear logged in there if 
> they were logged into the Plone site (if they're not, there'll be a "log 
> in" link that goes back to the Plone site). Member data should only be 
> held in one place, the Plone site.
> The shop site thus needs some way to:
>   - Find out if the current user is logged into the Plone site
>   - Retrieve member data for the current user
> I'm wondering what the best approach for this might look like. The best 
> approach I can think of, is to always pass a unique, time-limited ID 
> from Plone site to shop when users click any link in the Plone site that 
> goes to the shop. This ID would be mapped to a Plone session. The site 
> then does a server-side call-back over HTTP to the Plone site, asking if 
> the user with the given ID has a valid session, and if so receiving 
> member data in the response.
> This may work, but it's a bit clunky. It won't work if users have 
> bookmarks to the shop or hit it via some other URL. And it may make 
> session theft easier.
> What better approaches are there? Do we have any tools for this? Could a 
> solution potentially be generalised (in which case I'd like to do so an 
> open source it).
> Cheers,
> Martin
> -- 
> Author of `Professional Plone Development`, a book for developers who
> want to work with Plone. See http://martinaspeli.net/plone-book
> _______________________________________________
> Product-Developers mailing list
> Product-Developers at lists.plone.org
> http://lists.plone.org/mailman/listinfo/product-developers

View this message in context: http://www.nabble.com/-Product-Developers--Single-sign-on-across-heterogenuous-systems-tp18205059s20094p18213304.html
Sent from the Product Developers mailing list archive at Nabble.com.

More information about the Product-Developers mailing list