Hi, I have a requirement to allow users of my site to authenticate with a database (via relstorage) and also to authenticate using ADFS via SAML2.
I've heard that a common design pattern is to configure the web server (in this case apache) to authenticate with ADFS and have the plone site 'trust' the token passed down in the header.
I also want users to be able to self-register with the site which would rule out (I believe) the possibility of authenticating with ADFS at the web server level, as requests would need to reach the plone site, without the ADFS token, to allow this.
I'm exploring the possibility of having multiple web server instances, each one listening to a different URI, and authenticating appropriately (one apache instance for ADFS and the other to hit the plone site directly without ADFS token).
Can someone advise if there is a suitable PAS plugin/design pattern that can facilitate this?
relstorage is not a means to connect plone to a data base for purposes of
authentication. relstorage stores python pickles in a sql data base instead
of the zodb file storage and replaces zeoserver and the data base back end
containing plone content.
College of Public Programs at ASU
PAS allows you to combine various authentication methods: e.g. one
via an ADFS token, another one locally authenticated.
Authentication is performed by "IAuthentication" implementing plugins.
Create and register the plugins for the authentication types you
want to support.
also to authenticate using ADFS via SAML2.I've heard that a common
web server (in this case apache)
to authenticate with ADFS and have
passed down in the header.I also want users to be able to
(I believe) the possibility of authenticating with ADFS at the web
reach the plone site, without the ADFS token, to allow this.I'm
web server instances, each one listening to a different URI, and
instance for ADFS and the other to hit the plone site directly without
Yes you have the basic premis correct. Many people use Apache to do
the authentication and then get Plone to trust the authentication (usually
a header is set in the request from apache with the username in).
As you have pointed out the main issue with this is that the
authentication is either all or nothing, and you *have* to then
authenticate via the apache module. We had exactly the same issue
when using Apache to do Windows Integrated Authentication using
plugin for Plone and that allows you to easily mix and match
authentication methods within PAS.
I'm not aware of any ADFS plugins for Plone, but I do know that ADFS
is compatible with Shibboleth as both use SAML2 (they just have
different terminology for each of the components in the setup) and quite a
few Universities use Shibboleth so there might be a native PAS plugin
for Shibboleth (although I fear many just use Apache and mod_shib
to do the hard work).
The problem with having separate URLs for the site is that inevitably
a URL gets emailed from one person to another and they can't access
it as they need to go via a different hostname to get the authentication
We will be releasing the Kerberos plugin soon, but in the meantime if
you want to get in touch, we might be able to get you early access to
it, or see what would be involved in developing a native ADFS/Shib
plugin for you.
Matt Hamilton matth*******
Netsight Internet Solutions, Ltd. Understand. Develop. Deliver http://www.netsight.co.uk +44 (0)117 9090901
Web Design | Zope/Plone Development & Consulting | Co-location | Hosting
I'm not aware of such a plugin I would be very interested on this :)