Thanks, @dieter, SSO is another topic I wanted to touch on. I will definitely look into
dm.zope.saml2 as *THE SSO PACKAGE.
I agree, in fact, this is the approach I'm taking with
pas.plugin.authomatic add-on. The add-on will authenticate OAuth2 users to log-in and browse the site. However, in order for them to become a member, they should complete (register) their profile. Upon completing their profiles, the
dexterity.membrane.authomatic will create a membrane user from their OAuth2 identities.
pas.plugins.authomatic does the same thing. I think I used the wrong term in my initial post; I should not have said acl_users when it's actual users identities for OAuth2 users.
pas.plugins.authomatic does not create Members, it creates user identities and grants these identities access to the site as logged in users.
I completely agree. My initial thought was to isolate the creation of membrane users from OAuth2 user identities into a package of its own, especially since there are membrane specific issues to deal with. Also, I thought it was best to have a package that installs
pas.plugins.authomatic and any other package that's useful for Members as content with social media login. However, for cross-functionality to create acl_users or membrane users from user identities (OAuth2, saml and other auth user identities), it is best to have a general purpose package with
zcml:conditions. For instance, the package should have modules for saml and authmotic, which should only be available for use if their respective profiles are installed as seen below:
<include package=".saml" zcml:condition="have dm.zope.saml2" />
<include package=".authomatic" zcml:condition="have pas.plugins.authomatic" />
Each module should have it's own
genericsetup:registerProfile profile to install their respective control panel and method of converting user identities to Members.
I completely agree. I cringe at JBot. I couldn't think of a friendly approach to resolve this issue. Viewlet should work. However, all the various technologies would have to agree to this instead of fighting over redirection and template override of the login page. If they don't then I don't know how I'm going to resolve having
Based on the code I've read from various PAS projects, that's a most likely no.
Thanks for the insights @djay and @dieter