[Zope-dev] Single Sign On

[Shane Hathaway]

I'm working with a customer on a single sign on (SSO) system for Zope. 
We haven't yet chosen which SSO system we want to use.  I would like to 
hear from anyone who has set up SSO with Zope.

We have some definite requirements:

* We can't accept arbitrary identities like OpenID normally does.  We 
need to set up our own identity provider (IDP) and force our servers to 
accept only identities provided by our own IDP.

* The SSO process should be very similar to an ordinary cookie-based 
login process.  I don't want the user to have to enter their username on 
one form and their password on another, but that's the standard OpenID 
process.

* This will be implemented in Zope 3.

We are considering OpenID, Shibboleth, CAS, and any other mature system 
that others might suggest.  Shibboleth seems like the most obvious fit, 
but it's nowhere near as popular as OpenID.  I haven't yet looked at CAS 
in detail.

Alternatively, I have wondered if we actually need full-blown SSO; 
perhaps a carefully constructed domain-wide cookie would do the trick. 
Any experiences with that?

Thanks to anyone who participates.

Shane