[Product-Developers] Re: Single sign on across heterogenuous systems

Rob Miller ra at burningman.com
Tue Jul 1 18:13:25 UTC 2008


Martin Aspeli wrote:
> Hi Rob,
> 
>> you don't state how much influence you have over the 'shop' 
>> application, but you mention having the site make an HTTP call to 
>> Plone so i'm going to assume that it's possible to do some custom 
>> coding on that side.
> 
> It is. I'm not writing it, but I can ask someone else to do some coding. 
> It's not written in Python, though.
> 
>> in the OpenPlans stack, which actually consists of several HTTP 
>> services all acting as a single 'site', we accomplish something like 
>> this by having all of our apps honor Plone's authentication cookie. 
> 
> Will this not only work if all the apps are on the same domain? The shop 
> is hosted on a completely separate infrastructure and will be DNS'd into 
> a subdomain.

if it's on a subdomain, you should be fine.  if it's on a different domain 
altogether, it'd be trickier.

>> we have a custom PAS cookie auth plug-in which creates an auth cookie 
>> as a hash of the username and a secret key.  all of the apps have a 
>> copy of the secret, so they can verify that the cookie is to be 
>> trusted.  since your apps are going to be on the same domain, you can 
>> use a domain wildcard cookie and the remote hosted application will 
>> get it.
> 
> I see. Any documentation on how those work?

there's not much to document.  you just set a cookie and explicitly use 
".yourdomain.com" as the cookie domain, rather than the FQDN, which is what 
the cookie will default to if you don't specify.

here's the code for the OpenPlans PAS plug-in... this generates the cookie 
hash value, and sets two cookies, one for the FQDN and one explicitly set to 
the domain that the browser_id_manager specifies, which in our case is 
".openplans.org".  you can see both cookies in your browser when you're logged 
into the site.

http://trac.openplans.org/openplans/browser/opencore/trunk/opencore/auth/SignedCookieAuthHelper.py

hope that's useful,

-r





More information about the Product-Developers mailing list