plone and single-sign on - active directory and the holy grail
DESCRIPTION
These are the slides of a talk I gave on Single Sign On in Plone via Active Directory using netsight.windowsauthpluginTRANSCRIPT
![Page 1: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/1.jpg)
Plone and Single-Sign On
Matt Hamilton
Active Directory and the Holy Grail
![Page 2: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/2.jpg)
Plone Open Garden 2013
Who am I?
• Working with Plone/Zope since 1999
• Director at Netsight in the UK
• Worked on a number of projects doing authentication over the years
![Page 3: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/3.jpg)
Plone Open Garden 2013
What are we trying to do?
• Allow uses to be automatically logged in to a website without having to type in their username/password
![Page 4: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/4.jpg)
Plone Open Garden 2013
Kerberos
• Developed by MIT many many years ago
• Used in Unix.... but also used on Windows, OSX, Linux
• Based on authentication ‘tickets’
![Page 5: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/5.jpg)
Plone Open Garden 2013
Other approaches• Apache in front of Plone
- mod_kerberos
- mod_ntlm
- mod_authtkt / mod_pubcookie
• Plone on IIS
- Enfold proxy
- IISAPI
![Page 6: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/6.jpg)
Plone Open Garden 2013
Why do it in Plone?
• Ultimate control over if/when to require authentication from a user
• Fallback to other authentication methods
• Mix of user sources
![Page 7: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/7.jpg)
Plone Open Garden 2013
netsight.windowsauthplugin
• Runs on either Windows or Unix/Linux/OSX
• Windows: Uses Windows’ internal SSPI API
• Unix: Uses MIT Kerberos libraries
![Page 8: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/8.jpg)
Plone Open Garden 2013
[buildout]...
eggs = ... netsight.windowsauthplugin
![Page 9: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/9.jpg)
Plone Open Garden 2013
Recent Use-case
• Two departments of National Health Service are merging
• ...but their IT systems are still separate
• Two different Active Directory domains: CFH and IC
![Page 10: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/10.jpg)
Plone Open Garden 2013
Recent Use-case• Half the users in one domain, half in the
other
• Both need to be automatically authenticated to a single, common intranet
• Need to allow fallback to manual username/password
![Page 11: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/11.jpg)
Plone Open Garden 2013
![Page 12: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/12.jpg)
Plone Open Garden 2013
How does Kerberos work?
![Page 13: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/13.jpg)
Plone Open Garden 2013
How does Kerberos work?
![Page 14: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/14.jpg)
Plone Open Garden 2013
How does Kerberos work?
![Page 15: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/15.jpg)
Plone Open Garden 2013
Demo
![Page 16: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/16.jpg)
Plone Open Garden 2013
Complex Setups
![Page 17: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/17.jpg)
Plone Open Garden 2013
Member Properties
• Get data from Active Directory via LDAP
• Use plone.app.ldap
• Can use OpenLDAP as a proxy server
- Increased reliability
- Combine multiple LDAP/AD servers
- Caching
![Page 18: Plone and Single-Sign On - Active Directory and the Holy Grail](https://reader036.vdocuments.us/reader036/viewer/2022062300/554bce36b4c9058f6c8b4950/html5/thumbnails/18.jpg)
Plone Open Garden 2013
Questions?
• Matt Hamilton
• @hammertoe
• https://github.com/netsight/netsight.windowsauthplugin