Plone and Single-Sign On - Active Directory and the Holy Grail

4,028
-1

Published on

These are the slides of a talk I gave on Single Sign On in Plone via Active Directory using netsight.windowsauthplugin

2 Comments
5 Likes
Statistics
Notes
  • Excellent talk in Sorrento how professional 'Single-Sign On' can improve your business life with well configured Plone sites compared with boring procedures or workarounds you need with MS native stuff like Sharepoint to reach compareable comfort if at all. #Plone #Comfort #Enterprise #ContentManagement #cms #ecm.
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
  • Screencast of the demo I did in this talk:
    http://www.youtube.com/watch?v=-FLQxeD5_1M
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here
No Downloads
Views
Total Views
4,028
On Slideshare
0
From Embeds
0
Number of Embeds
9
Actions
Shares
0
Downloads
17
Comments
2
Likes
5
Embeds 0
No embeds

No notes for slide

Plone and Single-Sign On - Active Directory and the Holy Grail

  1. 1. Plone and Single-Sign On Active Directory and the Holy Grail Matt Hamilton
  2. 2. Who am I?• Working with Plone/Zope since 1999• Director at Netsight in the UK• Worked on a number of projects doing authentication over the years Plone Open Garden 2013
  3. 3. What are we trying to do?• Allow uses to be automatically logged in to a website without having to type in their username/password Plone Open Garden 2013
  4. 4. Kerberos• Developed by MIT many many years ago• Used in Unix.... but also used on Windows, OSX, Linux• Based on authentication ‘tickets’ Plone Open Garden 2013
  5. 5. Other approaches• Apache in front of Plone - mod_kerberos - mod_ntlm - mod_authtkt / mod_pubcookie• Plone on IIS - Enfold proxy - IISAPI Plone Open Garden 2013
  6. 6. Why do it in Plone?• Ultimate control over if/when to require authentication from a user• Fallback to other authentication methods• Mix of user sources Plone Open Garden 2013
  7. 7. netsight.windowsauthplugin• Runs on either Windows or Unix/Linux/ OSX• Windows: Uses Windows’ internal SSPI API• Unix: Uses MIT Kerberos libraries Plone Open Garden 2013
  8. 8. [buildout]...eggs = ... netsight.windowsauthplugin Plone Open Garden 2013
  9. 9. Recent Use-case• Two departments of National Health Service are merging• ...but their IT systems are still separate• Two different Active Directory domains: CFH and IC Plone Open Garden 2013
  10. 10. Recent Use-case• Half the users in one domain, half in the other• Both need to be automatically authenticated to a single, common intranet• Need to allow fallback to manual username/password Plone Open Garden 2013
  11. 11. Plone Open Garden 2013
  12. 12. How does Kerberos work? Plone Open Garden 2013
  13. 13. How does Kerberos work? Plone Open Garden 2013
  14. 14. How does Kerberos work? Plone Open Garden 2013
  15. 15. Demo Plone Open Garden 2013
  16. 16. Complex Setups Plone Open Garden 2013
  17. 17. Member Properties• Get data from Active Directory via LDAP• Use plone.app.ldap• Can use OpenLDAP as a proxy server - Increased reliability - Combine multiple LDAP/AD servers - Caching Plone Open Garden 2013
  18. 18. Questions?• Matt Hamilton• matth@netsight.co.uk• @hammertoe• https://github.com/netsight/ netsight.windowsauthplugin Plone Open Garden 2013

×