Hybrid Identity feature - Plone


We have the below requirement -

  1. CMS Platform will be accessible on company network only.
  2. However, we need to create guest logins for our users who will access site over internet.
  3. We are planning to have 2 different authentication models - one for company users and other for internet users.

Question is if Plone offers Hybrid Identity configuration feature, where in we can provide temporary credentials for guest users who will be able to access site over internet.

Your requirement 1. seems to be inconsistent with 2.
Your requirement 3. can be satisfied with PAS the Pluggable Authentication System, which is able to layer multiple authentication services, so you could have one for the internal users (e.g. LDAP or Active Directory) and another user source for "external" users (e.g. non-LDAP Plone user accounts).

You would gave host it outside of your network or the DMZ of your network. In addition to ldap already mentioned, you can use a mix or SAML2 (MS active directory federated services) which means you can host it internally without having a VPN setup for LDAP.

Hi, thanks for your response. Does it means Plone does offer this feature inbuilt? Its not Plugin based. Kindly confirm.

PAS is builtin. For LDAP/AD you need extras that are not in plone core but widely used.

Plone offers the Pluggable Authentication Service - short PAS. A vanilla Plone does offer only a basic set of plugins.

Due to the nature of authentication needs out in the wild it is not possible to cover every use-case out of the box. Also most authentication systems would pull in dependencies like python-saml, authomatic, python-ldap, and so on. This would blow up the complexity of Plone and so we dont do this out of the box.

Because of that there is a bunch of add-ons around plugging into PAS in order to provide the use-case specific needs.

Its also not that difficult to add own plug-ins, given a programmer knows Plone and its PAS.

Ok thank you.