Forum OpenACS Q&A: Re: SingleSignOn Implementation

Posted by Frank Bergmann on

This is how we do SSO in ]project-open[:

"Real" SSO Windows -> ]po[:

We implement "real" SSO in a Windows Server based infrastructure by a small Web site running on an M$ IIS a small .asp script that authenticates the user against the M$ domain.

sUser = Request.ServerVariables("AUTH_USER")

So we know who is the guy visiting this page. Then we generate a crypto-token and forward the user to a ]po[ page that checks the token. You can find these files in the ]po[ package intranet-core/www/single-sign-on/, available for anonymous from the ]po[ CVS server on HEAD.

So this is "real" SSO, because the user doesn't need to provide his or her password.

ActiveDirectory -> ]po[

As an alternative, ]po[ has a special package to authenticate a user against a Windows Active Directory called "auth-ldap-adldapsearch" and available from ]po[ CVS. This package is based on auth-ldap, but includes code specific for M$ Active Directory and the LDAP scheme they are using. It also includes code for parsing the AD user directory and to batch-import these users into OpenACS / ]po[.

All relevant code is available with GPL V2 or higher license.