Two Zope/Plone machines and SSO

Question

I'm installing an environment where I had two Zope/Plone servers:

• plone1 -> for web content & user authentication
• plone2 -> for web applications

I want to implement SSO around both servers but I don't know how to do it. I try to modify login_next and setAuthCookie(..) to share the __ac cookie in the domain, but didn't work.

Anyone know the best way to achieve it!

Thanks in advance, Oscar Sánchez.

Answer 1

I haven't done this yet, but may need to do so. So this is what I've gathered so far.

CAS

Plone as CAS server and as CAS client.

PubCookie

See the Pubcookie documentation.

Here's a writeup of setting it up with Plone: Single Sign On with Pubcookie

More on pubcookie and plone: Setting up Apache, Plone, and Pubcookie -- but there are some crucial gaps. In this case, the authentication provider is something called UWNetID, but they don't talk about configuring that. In your case, that would be a Plone instance.

mod_auth_tkt

See the mod_auth_tkt documentation.

It works with plone.session.

Answer 2

If both sites are on the same domain (but different subdomain), you can try to set the cookie on ".domain.tld". But I'm not sure if that will work - sending the original credentials as cookies is highly insecure, a session should be used in stead, and you can't share this session between two different instances.

Have you considered something like openid, possibly with your own private OpenID provider? That basically implements simple SSO out of the box.