Has anyone created/investigated Plone PAS plug-in for Amazon AWS Cognito?

,

For almost a decade we've leveraged Plone instances to run like app-engines (custom plugins integrated with content).
To separate the 'apps' out of one monolithic Plone instance we want to use Amazon's AWS Cognito which provides UserPools and single-sign-on to modern apps and a solid API.
I'm presuming that even if we used Volto with headless Plone we'd still need PlonePAS to do the authentication.

I failed to find anything when I searched for plug ins, so I'm wondering if anyone has tried to integrate Cognito with Plone?

1 Like

Authentication is handled on the backend and yes, it would require a PAS plugin for Cognito.

I am not aware of a Cognito PAS plugin but writing a PAS plugin is usually not that hard but debugging PAS issues and PAS plugin issues can be a major pain.

The Boto 3 module for Python and GitHub - capless/warrant: Python library for using AWS Cognito. With support for SRP. are perhaps the first place for checking integration options.

Thank you A.J. That's helpful.

We're experiencing some of that difficulty even with the LDAP plugins.

Surely I can't be the only one who needs single-sign-on between Plone instances (especially of different versions) and/or other apps.

How are the rest of you dealing with this?

I have made AWS cognito auth for Pyramid. I think you need to make a new PAS plugin for Plone. It may take few days, if you have some experience with PAS.

1 Like

@IanFHood occasionally I hear someone ask about SSO but I have not seen an implementation of SSO for Plone and the only traces I found of one were from Matt Hamilton ages ago. Usually clients end up using LDAP.

The WebServerAuth method is the only SSO tool I've seen in action a lot, but it really is in Apache before anything touches Plone.

(Each time a client would float the idea of getting an SSO implementation, I'd gleefully anticipate working on it, only to have the request fall by the wayside because of reprioritization)

Dylan reported about SSO based on SAML2 (and MS federation services, I think). dm.zope.saml2 provides SAML2 support for Plone.

1 Like

It would be lovely ™ if someone wanted to put together a draft page explaining the current state of Plone/SSO

We've used both dm.zope.saml2 and authticket for SSO between two Plones. authticket is built into Plone and is the cheats way out. It requires both plones to run on the same domain. SAML2 involves a bit more redirects during login but otherwise works pretty seamlessly.

dm.zope.saml2 works by installing some zope objects in the ZMI and configuring them differently on Identity provider (where the password is kept) vs the service provider (the one you never log into).
I documented all this in https://github.com/collective/collective.saml2 (which adds a few things to make installation easier also).

As far as I know dieters package is the only one that has both sides of the SSO to allow Plone to Plone SSO, at least with SAML2 (a SSO standard that Active directory federated services and office365 used for example). There are other Plone SP/client implimentations but not the IdP part I believe.

The other thing about SAML2 is that in addition allowing your users to not have to login again, it does this without having to setup any VPN or direct connection between the two Plone sites. It's all done in the browser via redirects. This is unlike integrating LDAP with Plone.

But none of this answers the original question. Cognito isn't saml2 but seems like you can hook it up to one so you could have: app -> cognito -> plone (saml2 IdP) but I don't think thats what you are after. You seem to want Plone -> cognito -> .... whatever FB, saml2 etc etc. or seems like cognito can just store users and passwords itself.

Like others have said. Writing a PASPlugin is not hard and there is plenty of examples out there to copy. Where it has to interact with the user in the browser could be tricky if you are using Volto. dm.zope.saml2 for example would not work with volto. I don't know how they intend to deal with these cases.

1 Like

There is also https://github.com/4teamwork/ftw.saml2auth that works with MS ADFS.

1 Like