Two Zope/Plone machines and SSO
https://stackoverflow.com/questions/3666676
-
01-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I'm installing an environment where I had two Zope/Plone servers:
- plone1 -> for web content & user authentication
- plone2 -> for web applications
I want to implement SSO around both servers but I don't know how to do it. I try to modify login_next and setAuthCookie(..) to share the __ac cookie in the domain, but didn't work.
Anyone know the best way to achieve it!
Thanks in advance, Oscar Sánchez.
Solution
I haven't done this yet, but may need to do so. So this is what I've gathered so far.
CAS
Plone as CAS server and as CAS client.
PubCookie
See the Pubcookie documentation.
Here's a writeup of setting it up with Plone: Single Sign On with Pubcookie
More on pubcookie and plone: Setting up Apache, Plone, and Pubcookie -- but there are some crucial gaps. In this case, the authentication provider is something called UWNetID, but they don't talk about configuring that. In your case, that would be a Plone instance.
mod_auth_tkt
See the mod_auth_tkt documentation.
It works with plone.session.
OTHER TIPS
If both sites are on the same domain (but different subdomain), you can try to set the cookie on ".domain.tld". But I'm not sure if that will work - sending the original credentials as cookies is highly insecure, a session should be used in stead, and you can't share this session between two different instances.
Have you considered something like openid, possibly with your own private OpenID provider? That basically implements simple SSO out of the box.
