Shane Hathaway schreef:
* The SSO process should be very similar to an ordinary cookie-based login process. I don't want the user to have to enter their username on one form and their password on another, but that's the standard OpenID process.
* This will be implemented in Zope 3.
We are considering OpenID, Shibboleth, CAS, and any other mature system that others might suggest. Shibboleth seems like the most obvious fit, but it's nowhere near as popular as OpenID. I haven't yet looked at CAS in detail.
Alternatively, I have wondered if we actually need full-blown SSO; perhaps a carefully constructed domain-wide cookie would do the trick.
In the two cases where I've been involved in SSO, both times there was some apache module that could handle the actual SSO-part. The result from zope's viewpoint was either a special http header or a special cookie. Working from that header ("special_user=username_you_want") or cookie with similar contents is easy with zope2/plone's PAS and thus also zope2's authentication system which is mostly similar. You can look at http://svn.plone.org/svn/collective/PASPlugins/apachepas/ for some copy/paste code. So: easiest way is to let some trusted apache plugin handle the hard part and then laugh all the way to the bank with some 100-line authentication plugin. Reinout -- Reinout van Rees http://reinout.vanrees.org/