Forum OpenACS Q&A: Re: SingleSignOn Implementation
This is how we do SSO in ]project-open[:
"Real" SSO Windows -> ]po[:
We implement "real" SSO in a Windows Server based infrastructure by a small Web site running on an M$ IIS a small .asp script that authenticates the user against the M$ domain.
sUser = Request.ServerVariables("AUTH_USER")
So we know who is the guy visiting this page. Then we generate a crypto-token and forward the user to a ]po[ page that checks the token. You can find these files in the ]po[ package intranet-core/www/single-sign-on/, available for anonymous from the ]po[ CVS server on HEAD.
So this is "real" SSO, because the user doesn't need to provide his or her password.
ActiveDirectory -> ]po[
As an alternative, ]po[ has a special package to authenticate a user against a Windows Active Directory called "auth-ldap-adldapsearch" and available from ]po[ CVS. This package is based on auth-ldap, but includes code specific for M$ Active Directory and the LDAP scheme they are using. It also includes code for parsing the AD user directory and to batch-import these users into OpenACS / ]po[.
All relevant code is available with GPL V2 or higher license.