[opencms-dev] OpenCms SSO Integration

[Shi Yusen]

Set a random password first and then use this password to authn/authz,
that's the way I integrated OpenCms with CAS.

You can see the source code here:
http://langhua.org/opensource/opencms/opencms-identity/

Regards,

Shi Yusen/Beijing Langhua Ltd.

在 2010-03-17三的 12:01 +0100，Fabian Panthen写道：
> Hello List,
> 
> we are currently working on integrating OpenCms into an SSO Architecture.
> This seems to be unnecessarily difficult.
> Here's the picture:
> 
> In a regular SSO architecture, an SSO server handles Authentication and 
> provides some form of mechanism to show other applications that a user 
> has been authenticated.
> Applications check for that, for instance a token, and authenticate the 
> user automatically, trusting the SSO's decision that the user is to be 
> trusted.
> We have been seraching the API for days now and so far have not sen a 
> way to authenticate an OpenCms user without knowing his password.
> This is said to be a security feature. But really a security feature is 
> that an application should not ever need to know a users password at all!
> If I am programming exntensions to a system with its API I obviously 
> have access with administrative rights.
> Hence I should be able to
> 
> a) create an admin enabled CmsObject without having to store the admin 
> pasword somewhere
> b) create user CmsObjects without having to know their password
> 
> The way the API seems to us currently, OpenCms can only be integrated 
> into SSO if it handles the login itsself but not as a client to another 
> login server.
> 
> So, dear list, what are your thoughts?
> Have we simply overseen something, and actually we are able to do just 
> that but were just to stupid to see so?
> Or is this something that should be adressed in future versions of the API?
> Anyone found a solution to this problem allready?
> 
> Kind regards,
> 
> Fabian Panthen
>