Plone & CGI single-sign-on using mod_auth_tkt

Question

A couple of questions have had answers suggesting making use of mod_auth_tkt to allow Plone 4 (Plone and Asp.Net Integration, Use Plone\'s authentication mechanism to login to o

Answer 1

It turns out that there seems to be a conflict with pas.plugins.sqlalchemy. I've been investigating PPS, and while it doesn't seem that there should be any crossover, the site I was testing had PPS installed. When I switched to a site without PPS, setting the "secret" and the mod_auth_tkt flag had the desired effect. Since I seem to have fallen into the maintenance role for pas.plugins.sqlalchemy, I guess it's my problem :-)

Domo arigato, Mr. Rowe-boto!

Answer 2

The documentation on using mod_auth_tkt is a man page distributed with the source.

In answer to your specific questions:

1. In /Plone/acl_users/session. On the Manage secrets tab set a shared secret. (This is described in the documentation for setting up a shared secret with an IIS login form.) You should set the same secret in the Apache config with the TKTAuthSecret directive.

2. For Plone 4.0 (or Plone 3.x with plone.session 3.x) use /Plone/login_form. For Plone 4.1 use /Plone/login, assuming that the Plone site is hosted at /Plone. Use /login_form or /login if it is hosted at the root.

3. Plone uses _ac by default, so use TKTAuthCookieName "_ac". (The cookie name Plone uses is set in the acl_users session settings and cookie authentication settings.)

You might have to set TKTAuthBackArgName "came_from", though I think Plone will fallback to the referrer url so it may work without. And you will need to check the "Use mod_auth_tkt compatible hashing algorithm" option on the preferences tab of acl_users/session.