[Zope-dev] SAP SSO feature for Zope/LDAPUserFolder

Mark Hammond mhammond at skippinet.com.au
Sun Jun 26 07:52:57 EDT 2005


> we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and
> CookieCrumbler in use.
>
> One of our next goals is to integrate the
> Single-Sign-On-Ticket feature of
> SAP-Portal.
>
> SAP sent a cookie called MYSAPSSO2 which contains a certified
> signature and
> the Login-Name of a user.
>
> Normally the Login-Name will be validated by LDAPUserFolder
> with password
> against LDAP-Directory and the roles of the user will be
> assigned to the
> user object.
>
> We have now an external web-service which can validate the
> MYSAPSSO2-Ticket
> and return the Login-Name.
>
> I'm looking now for the best way to integrate/rewrite
> CookieCrumbler/LDAPUserFolder to take the validated
> Login-Name and read the
> roles of the user out of the LDAP-directory.

I would suggest looking at PAS.  You would write an "extraction" plugin for
PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties
and role/group enumeration.  Your PAS plugin then only has the job of
creating a "user id" suitable for use with the LDAP plugin (ie, the same
'id' that LDAPUF is configured to use).  PAS has had a number of recent
changes - you should look at the CVS versions (of PAS and the dataflake
stuff) rather than the released versions if you want to avoid migration work
in the future.

http://www.zope.org/Members/urbanape/PluggableAuthService

mailing list at:

http://mail.zope.org/mailman/listinfo/zope-pas

Mark



More information about the Zope-Dev mailing list