we have Zope 2.6.4 and 2.7.6 with LDAPUserFolder and CookieCrumbler in use.
One of our next goals is to integrate the Single-Sign-On-Ticket feature of SAP-Portal.
SAP sent a cookie called MYSAPSSO2 which contains a certified signature and the Login-Name of a user.
Normally the Login-Name will be validated by LDAPUserFolder with password against LDAP-Directory and the roles of the user will be assigned to the user object.
We have now an external web-service which can validate the MYSAPSSO2-Ticket and return the Login-Name.
I'm looking now for the best way to integrate/rewrite CookieCrumbler/LDAPUserFolder to take the validated Login-Name and read the roles of the user out of the LDAP-directory.
I would suggest looking at PAS. You would write an "extraction" plugin for PAS, and use the PAS LDAPMultiPlugin (from dataflake) for user properties and role/group enumeration. Your PAS plugin then only has the job of creating a "user id" suitable for use with the LDAP plugin (ie, the same 'id' that LDAPUF is configured to use). PAS has had a number of recent changes - you should look at the CVS versions (of PAS and the dataflake stuff) rather than the released versions if you want to avoid migration work in the future. http://www.zope.org/Members/urbanape/PluggableAuthService mailing list at: http://mail.zope.org/mailman/listinfo/zope-pas Mark