I'm running into this while attempting to install collective.saml2 while pinning PyXB to 1.2.6
ERROR: Cannot install -r requirements.txt (line 11) and PyXB==1.2.6 because these package versions have conflicting dependencies.
The conflict is caused by:
The user requested PyXB==1.2.6
collective-saml2 1.5 depends on PyXB==1.2.3
Thank you @jensens - I'm looking at it now, needs some love indeed. Trying to grok all the different things that need to set up first before even attempting to give it a spin
Sidenote, impressed by pas.plugins.ldap which got me about halfway. SSO would be "nice to have"
I've bypassed collective and went directly to dm.zope.saml2 as the python3 fixes are there. I'd be willing to help out where I can. Saml2 is important to us as we're moving towards centralized Shibboleth auth.
E.S. Tyrer via Plone Community wrote at 2022-11-22 18:34 +0000:
I've bypassed collective and went directly to dm.zope.saml2 as the python3 fixes are there. I'd be willing to help out where I can. Saml2 is important to us as we're moving towards centralized Shibboleth auth.
note that I have a Python 3 problem report for dm.xmlsec.binding: the password for encryption keys
is expected to be bytes -- which is surprising for Python 3.
dm.zope.saml2 likely does this correctly.
But if you migrate a Python 2 ZODB to Python 3,
the password may end up as str.
As reported, the error message of dm.xmlsec.binding
is not very clear in this case.
I did see the your notes. I don't know if I've run into the byte/string issue as of yet. My project is still in the testing phase. My POC is currenly a lone Plone 5.2.10 instance with nginx sitting in-front.
Our SSO provider is CUNY CIS has furnished Shibboleth for use with quite a few shared applications etc.
We're using metadata exchange, and they'll be the IdP and once credentials check is good Plone should then give user access to site.
That's were I am at now at the moment. With the holidays coming it's hard to get the correct info I need from our IdP provider (even though we work for the same entity!).
I know you're not a Plone dev but to the greater Zope/Plone community I think the SSO story needs some efforts to hopefully have something working on a modern install.
This means a Py3, Zope3 KGS that works OOTB with a common install using metadata exchange. Our LDAP story is kinda icky at the moment compared to what we had in Py27 land with ldapMultiPlugins too but that's another show.
Question: while Shibboleth will authenticate web pages, what about restapi? When you authenticate to the Volto site with Shibboleth, you're just authenticate in Volto but not in the Plone backend. Volto uses restapi, how the Plone backend can know who the user is?
Question: while Shibboleth will authenticate web pages, what about restapi? When you authenticate to the Volto site with Shibboleth, you're just authenticate in Volto but not in the Plone backend. Volto uses restapi, how the Plone backend can know who the user is?
Typically, no matter how a user initially logs in to Plone, they then get a token generated by Plone which is used to authenticate subsequent requests without needing to interact with a 3rd-party system. The Plone backend uses a cookie named __ac. Volto uses a JWT in the Authorization header.
so restapi reads both the __ac and jwt token? You've to pass them with the request from command line, while this is done automatically if using a browser. Thank for the hint.
The REST API handles authentication using Zope's PluggableAuthService, just like non-REST API requests. PAS is configured with multiple authentication plugins that each handle a different way of authenticating.