At work we are meant to integrate a new SSO backend. Out of our reach, they decided in a model where the login/registration forms will be hosted on a different website, the user will login/register there and then get redirected back to our website (we will provide a redirect to URL).
Once the user lands on our website, potentially on any random page, it will have a cookie that will be used to authenticate the user on plone.
From what I'm seeing/understanding from Prudcts.PluggableAuthService that's not the model it expects. It rather expects that the login/registration will happen on plone and the PAS backend will contact the external SSO system.
Is my understanding right on PAS? If so, did anyone had a similar scenario? How did you solve it?
We are thinking that an option would be that the redirect to URL parameter we are passing when redirecting the user to the login/registration external website could be a
resolveuid-like URL that not only allows us to redirect the user back to the original content the user was before initiating the login/registration process, but it would also allow us to intercept the call, check if the external login cookie is there, and force the login there.
That means pushing the automatic login/registration logic on a browser view rather than on a PAS plugin, but maybe is not that bad anyway and you get the job done?
Take a look at GitHub - collective/pas.plugins.headers: PAS plugin for authentication based on request headers, as it can be used as a base for your requirements.
I used it to “trust” the authenticated credentials passed by an external system
Plone's session plugin (-->
plone.session.plugins.session.SessionPlugin) is based on
tktauth -- an SSO mechanism which works exactly as you describe it: via a cookie managed by any service component in the same domain.
By default, the session plugin (-->
acl_users/sessions) is configured to operate stand alone. But, you can easily reconfigure it to cooperate with an external authenticator: for this you would need to define the cookie name and the shared secret used by the external authenticator.
Of course, direct use of Plone session plugin would require the use of
tktauth as your SSO mechanism. If this is not the case, then you could either emulate the approach of Plone's session for your SSO mechanism or use a PAS plugin that takes authentication information from the Web server (and use a plugin there compatible with your SSO mechanusm).
Thanks for the answers! I was already looking at the
plone.session but I was failing to see how to stitch it all together,
i.e. I can create a new PAS plugin based on
plone.session, and override the
extractCredentials to look for our specific cookie. With that cookie, I can reach to the external SSO system to get the information about that user and pass it along.
Next would be to override the
authenticateCredentials method and given the user information, either log the user in, or automatically create a user.
and with this... done?
The cookie, in our case will contain a transfer token valid only for one single use and that will be valid only for a minute, so I'm not sure if we need to expire the cookie (and if so, when?) or just let it expire on its own. Though within a minute one can make quite a lot of requests (specially thinking of assets, etc etc).
I was also seeing that Plone itself has a
plone.external_login_url setting to easily integrate the external login/logout system.