Hi,
this is my solution for SSO for Zope by accepting SAP-SSO-Ticket.
SAP-SSO-Tickets are Cookies named MYSAPSSO2. They contain SAP-PortalUserName, SAP-Username, Validate-Time of the ticket and a signed signature by the issueing SAP-System.
Since we currently use CookieCrumbler and LDAPUserFolder it was my goal to let the CookieCrumbler take the MYSAPSSO2 Cookie from the Request, let it be validated by an external ticket verification service, store the validated TicketInfo in the SESSION variable and let LDAPUserFolder load the trusted PortalUser with roles from the LDAP-Directory.
Any comments or security discussion is welcome.
Zope 2.7.6, CookieCrumbler 1.2, LDAPUserFolder 2.5
Regards, Dirk
On 27 Jun 2005, at 22:27, Dirk Datzert wrote:
Hi,
this is my solution for SSO for Zope by accepting SAP-SSO-Ticket.
Apart from the fact that directly patching an existing product is never a good idea (subclass and override as needed is a much better solution) the creation of external HTTP requests within the product code is dangerous. Every time the request hangs (unforeseen network hiccup, server unavailable, etc, simple everyday stuff that is beyond anyone's control) you will have a hung thread. Four of them and you have a hung Zope.
jens
-
Dirk Datzert -
Jens Vagelpohl