Saml or Oauth2 - Best bet for SSO and Plone 6 in 2022

Just checking in on the state of Single Single On and Plone.
Let's say I want to integrate something like Mattermost or Zulip with Plone 6 such that a user can use their Plone account to log into their chat/collaboration service. Between Saml and Oauth2 what's the best path to explore in 2022.

1 Like

We're using OpenID Connect with Plone and Zulip. I would choose OAuth2 based system over SAML2 because of the simplicity and possible API usage scenarios. If you're lacking IDP, Keycloak is a good choice (or some SaaS provider such as Okta).

Just to be clear, your setup uses Plone as an OpenID Connect auth provider and Zulip as the "client"?

No. We use common external identity provider for both Zulip and Plone. I think that IDP functionality is in itself quite demanding and wouldn't like it be a side quest for Plone to manage. With Keycloak for example you get social auth capabilities, federation, etc.

I do not think it is a good idea to turn Plone into an identity provider. I think somebody already wrote an use-case optimized add-on for Plone-as-OpenID-provider; if you really want to go this path I would look for it to see if you can build upon.

I would add an specialized software providing identities as an own service and use it in Plone and Zulip.

That makes a lot of sense.

@ju55i what package are you using to do OpenID Connect with Plone?

We're using pas.plugins.oidc and volto-oidc-addon. The latter one might be our own code. It has a description "Volto OIDC login integration on top of pas.plugins.oidc".

Thanks. I had not seen that plugin so I will take a look at it.

At Eau de Web we are also using pas.plugins.oidc.

@ju55i the volto-oidc-addon is an open source add-on? ... on a quick search I couldn't find it. Can you point some references to it if it's not private?


Looks like it is not open sourced. I'll try to see if we can publish it. Bureaucracy has proven to be a bit difficult in these cases.