Plone and Single-Sign On - Active Directory and the Holy Grail

Plone and Single-Sign On

Matt Hamilton

Active Directory and the Holy Grail

Plone Open Garden 2013

Who am I?

• Working with Plone/Zope since 1999

• Director at Netsight in the UK

• Worked on a number of projects doing authentication over the years

What are we trying to do?

• Allow uses to be automatically logged in to a website without having to type in their username/password

Kerberos

• Developed by MIT many many years ago

• Used in Unix.... but also used on Windows, OSX, Linux

• Based on authentication ‘tickets’

Other approaches• Apache in front of Plone

- mod_kerberos

- mod_ntlm

- mod_authtkt / mod_pubcookie

• Plone on IIS

- Enfold proxy

- IISAPI

Why do it in Plone?

• Ultimate control over if/when to require authentication from a user

• Fallback to other authentication methods

• Mix of user sources

netsight.windowsauthplugin

• Runs on either Windows or Unix/Linux/OSX

• Windows: Uses Windows’ internal SSPI API

• Unix: Uses MIT Kerberos libraries

[buildout]...

eggs = ... netsight.windowsauthplugin

Recent Use-case

• Two departments of National Health Service are merging

• ...but their IT systems are still separate

• Two different Active Directory domains: CFH and IC

Recent Use-case• Half the users in one domain, half in the

• Both need to be automatically authenticated to a single, common intranet

• Need to allow fallback to manual username/password

How does Kerberos work?

Complex Setups

Member Properties

• Get data from Active Directory via LDAP

• Use plone.app.ldap

• Can use OpenLDAP as a proxy server

- Increased reliability

- Combine multiple LDAP/AD servers

- Caching

Questions?

• Matt Hamilton

• matth@netsight.co.uk

• @hammertoe

• https://github.com/netsight/netsight.windowsauthplugin

Plone and Single-Sign On - Active Directory and the Holy Grail

Documents

CI on large open source software : Plone & Plone 5 is here!

World Plone Day 2013 Tokyo, new version of Plone

Plone Screenshots

Plone - Revised Roadmap: Plone 3,4,5 and beyond - Dutch Plone Users Day (+AUDIO)

EC2 Plone Presentation - Plone Conference Washington DC, October 8,2008

Getting Plone Introduced Into Large Scale Business Operations Plone Conf Oct 2009

Plone intranet - World Plone Day 2015 Bologna

University Gent Plone Migration - Plone Tagung …...About Me • Python since 1993 • Plone since 2002 • Publishing since 1995 • Plone migrations last year: • 2 larger custom

Plone 3 Intranets - Packt Publishing · Plone 3 Intranets Plone is a highly ... However, it gives us sufficient information to have a broad knowledge of Plone. Chapter 4, ... organization,

Unloading Plone

Udal Plone

Getting Dates with Plone - Plone Conference 2008

Troubleshooting Plone

About Plone - Enfold Systems, the Plone Experts

Iterating Plone

GoogleDocs on Plone

Grail Blog: Grail Killers XXI

Upgrading a Plone 3 Theme for Plone 4: Beyond the Basics

Enterprise Single Sign-On. The Holy Grail of Computing - …€¦ · Enterprise Single Sign-On. The Holy Grail of Computing - Technical Brief. 4 . Introduction . The number of identities

Plone biblio