Our enterprise uses a third-party product for authentication that is capable of being configured for both OAuth2 and SAML. We'd like to set Plone 5 up as a resource provider/SP and use our third-party product as an authorization server/IdP. From what I've researched online, there's pas.plugins.authomatic, which looks like it only works with some well-known providers like GitHub, pmr2.oauth, which seems pretty out of date, and several commercial solutions. Which is the easiest to configure, and will the Authomatic plugin work with something that is not GitHub/Google/etc? Is it better to use SAML in this case instead?
Could you say more specifically what environment you have? pas.plugins.authomatic works very nicely. It's what we use on Plone.org (with GitHub).
Ping enterprise.
If you mean https://www.pingidentity.com/en/platform/single-sign-on/sso-overview.html and if OpenID is an option, could this do it? https://github.com/plone/plone.app.openid
Correct. I'm not sure whether we have it configured for OpenID or not.... I've never heard of anyone using it, though it is a good suggestion.
Pretend for a moment I couldn't for whatever reason. SAML or OAuth2?
OAuth2 has worked for Plone. I haven't heard of anyone recently using SAML with Plone.
Cool, thanks!
There are a bunch of really large sites using SAML with Plone. I dont know so much about the existing public Plugins, because I wrote for my customer a very specific custom (non-public) plugin as solution
I know there is the well maintained ftw.saml2auth and the old-but-mature dm.zope.saml2. I would try one of these.
1 Like
We used dm.zope.saml2 via collective.saml2 for several projects. Not so user friendly to configure but works well. I've tried to provide more documentation for it
It really needs a nice plone config UI.
1 Like
I can confirm that lots of large enterprise Plone sites use SAML and that this is an important selling point in pitches. Setting up SAML is pretty complex though, so we should definitely try to improve the integration story and share our experiences.
2 Likes
This plugin is mainly a wrapper around dm.zope.saml2 to aid in installation for a Plone environment.
1 Like
And we do use this as well, we do not only maintain it for the fun of it.
3 Likes
I love being proved wrong! 
Thank you for all of the suggestions! Can any of these be set up with multiple providers (i.e, an Active Directory Federation Services IdP, plus a second IdP)?
I don't know about ftw.saml2auth but dm.zope.saml2/collective.saml2 I'm pretty sure can have multiple IdPs associated with one SP and can also act as a IdP itself. In fact we have used a plone (SP) to plone (IdP) setup before.
Not sure how you would initiate a login with dm.zope.saml2 and multiple IdPs however since it has not override of the plone login page. It will just pick the first PAS challenge plugin in the list and this will cause a redirect to the first IdP I believe.
We're using Plone on Docker, and fronting it with an nginx reverse-proxy sidecar container. That proxy should handle the redirect to the login page. My hope is that after that step, we can just pass the user on to Plone and effectively give them SSO capability whether they're using Ping or ADFS for login. Sounds like that will work for at least dm.zope.saml2. @Rotonen can you comment on whether ftw.saml2auth supports multiple IdP's as well?
Thanks!
1 Like
Negative. You'd have to federate yourself.
PRs welcome, though.