We have a Plone site with collective.saml2 installed for Single Sign On. The Plone site has subsites on separate domains (ie. birds.com and flyinganimals.com), and we are trying to make it work for each domain name.
When we add a second Saml authority object to the Plone site (in another subsite), the pre-existing Saml authority object stops working. We're looking into it, debugging and seeing if we can make it work, but i'd thought i'd just shoot a quick question here: Does anyone have experience using collective.saml2 + subsites, and if yes, do you have any pointers?
The linkage between the (SAML2) role describing objects and the (SAML2) authority happens via Zope utility lookups. As such it heavily depends on Zope's "localsitemanager
In principle, it should not be possible to create a second SAML authority in the same ("localsitemanager") site; however, there might be a bug here with the new authority overriding the old one.
When you access an SAML role object, it will always find (via utility lookup) the SAML authority registered in the nearest site ancestor. If this authority object has been created after the role object, then it does not know about it and will be unable to work correctly with it.
There is a complex interdependence between the authority and its role objects; sufficiently complex to induce problems (I know about such problems for deletion and copying):
- The role object depends on the authority object; the link is resolved by Zope utility (Interface) lookup.
- The authority depends on its role objects; for this purpose, it maintains a mapping "role type -> path to the role object".
If something happens to break these dependencies (e.g. put a new authority between the role object and its authority), then the functionality is not longer guaranteed.
You should not have (SAML2) problems in case that each of your sites are "localsitemanager" sites (i.e. have their own local utility registry) and their own SAML authority and associated SAML role objects.