[Zope-dev] SAP SSO feature for Zope/LDAPUserFolder

Marco Bizzarri m.bizzarri at icube.it
Sun Jun 26 04:36:14 EDT 2005


Dirk Datzert wrote:
> Hi,
> 
> we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use.
> 
> One of our next goals is to integrate the Single-Sign-On-Ticket feature of
> SAP-Portal.
> 
> SAP sent a cookie called MYSAPSSO2 which contains a certified signature and
> the Login-Name of a user.
> 
> Normally the Login-Name will be validated by LDAPUserFolder with password
> against LDAP-Directory and the roles of the user will be assigned to the
> user object.
> 
> We have now an external web-service which can validate the MYSAPSSO2-Ticket
> and return the Login-Name.
> 
> I'm looking now for the best way to integrate/rewrite
> CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the
> roles of the user out of the LDAP-directory.
> 
> Any ideas ? Maybe comments by Jens or Shane ?
> 
> Regards,
> Dirk
> 

I'm not sure this could work for you... I've tried integrating Zope with 
an SSO system, which did not provide any authentication other than 
setting a correct REMOTE_USER in the REQUEST (we did it behind Apache).

We succeded by subclassing CookieCrumbler so that it was able to deal 
with those situations.

Also, we were working with Zope in Remote User Mode.

I can provide the code, if necessary.

Regards
Marco


More information about the Zope-Dev mailing list