Liberty Alliance / SAML 2 Authentication Plugin for PAS 0.3-Unreleased-SVN (Release candidate) (Feb 14, 2007)
This is not a final release. Experimental releases should only be used for testing and development. Do not use these on production sites, and make sure you have proper backups before installing.
A Liberty authentication plugin for Zope / Plone Pluggable Authentication Service. This Plug-in have been developed initialy to integrate Plone in an e-Learning SOA for the European Project GEARS. It now been used in several implementations.
For additional information about this project, please visit the overview page .
Available downloads
Release Notes
| Tested with | Plone 2.5.2, Plone 2.5.1, Plone 2.5 |
|---|---|
| State | Release candidate |
| License | GPL |
This Plug-in relies on Lasso Library.
It has been tested in the European project Gears (http://gears.euproject.org/) and this services/identity federation have been demonstrated at the ePortfolio plugfest associated with the 4th internation ePortfolio Conference in Oxford in October 2006 (http://www.eife-l.org/news/ep2006) and at iLearningForum conference in January 2007 in Paris (http://www.ilearnforum.eu/programme/).
This release have been tested with Plone 2.5.2 and Zope 2.8.8 (Python 2.3.5)
It may works also on Python 2.4 and Zope 2.9 (a Python binding of the Lasso library exist for this release of Python, see the install instruction below).
INSTALL:
Required softwares
------------------
- Lasso >= 0.6.3 with Python binding
- Website : http://lasso.entrouvert.org/
- Debian package : python2.3-lasso (on Sarge) or python-lasso (on Etch/Sid)
- OpenSSL (command line tool)
- Website : http://www.openssl.org/
- Debian package : openssl
- PyXML
- Website : http://pyxml.sourceforge.net
- Debian package : python2.3-xml (on Sarge) or python-xml (on Etch/Sid)
- SOAPpy
- Website : http://pywebsvcs.sourceforge.net
- Debian package : python-soappy
Installing on Debian
--------------------
- Install these packages :
* zope-cmfplone
* zope-plonepas
- Create a zope instance
$ dzhandle -z 2.9 make-instance liberty_auth --addon-mode manual
- Add CMFPlone product to your instance
$ dzhandle -z2.9 add-product liberty_auth CMFPlone
- Copy the plugin LibertyAuthPlugin directory to the zope product directory.
- Copy the plugin SOAPSupport from the liberty plugin directory LibertyAuthPlugin to zope product directory. Original SOAPSUpport product doesn't allow to read HTTP xml body from installed LibertyAuthPlugin python scripts. This modified version fix this problem by adding code to HTTPRequest.py file. HTTPRequest.py.orig is the original version of HTTPRequest.py.
- Start zope
$ dzhandle -z2.9 zopectl liberty_auth start
Installing on other systems (from tgz files)
--------------------------------------------
- Read doc/INSTALL.txt which is in the Zope tarball to know Zope commands and installation process
- Create a zope instance
- Add CMFPlone product to your instance
- Copy the plugin LibertyAuthPlugin directory to the zope product directory.
- Copy the plugin SOAPSupport from the liberty plugin directory LibertyAuthPlugin to zope product directory. Original SOAPSUpport product doesn't allow to read HTTP xml body from installed LibertyAuthPlugin python scripts. This modified version fix this problem by adding code to HTTPRequest.py file. HTTPRequest.py.orig is the original version of HTTPRequest.py.
- Start zope
Adding an instance of the plugin
--------------------------------
- first you need to add a Plone Site instance in the root folder.
- In the plone portal instance, go to acl_users object, from the "Challenge Protocol Chosser Plugin" selection,
choose LibertyAuthPlugin and click on the Add button.
- Give an id.
- Leave Provider Role on "Service Provider".
- Give an oganism name.
- Click on Create button.
Adding a remote Identity Provider
---------------------------------
- From acl_users object of portal instance, choose your previously created liberty plugin object.
- Click on "Remote Providers" option on the panel.
- In sub section "Add a new remote provider",
- Choose "Identity Provider" from Role selection.
- Choose a unique name for IDP.
- Browse and select the Identity Provider metadata file.
- Browse and select the Identity Provider public key file.
Configuring the liberty plugin functions
----------------------------------------
- From the portal object acl_users, select the liberty plugin object.
- Select Authentication and activate your plugin, move it at first position if necessary.
- Select Challenge and activate your plugin, move it at first position if necessary.
- Select Extraction and activate your plugin, move it at first position if necessary.
Configuring the metadata file publication
-----------------------------------------
- Each Liberty plugin instance are stored in there own directory in $(ZOPE_PRODUCT)/LibertyAuthPlugin/liberty. For example, a LibertyAuthPlugin instance named "myplugin" has metadata and keys stored in : $(ZOPE_PRODUCT)/LibertyAuthPlugin/liberty/myplugin.
- From the portal object, go to "liberty" directory object, and add a File object from the metadata plugin. From previous example, metadata file would be : $(ZOPE_PRODUCT)/LibertyAuthPlugin/liberty/myplugin/metadata.xml.
Configuring Plone portal user actions
-------------------------------------
- From portal object, choose "portal_registration" object and add the following actions :
- add 'singleLogout' action :
- title : "Sign out"
- id : "sign_out"
- url (expression) : "string:${portal_url}/liberty/singleLogout"
- condition : "python:request.SESSION.get('sessionDump') is not None and member"
- permission : "(none)"
- category : "user"
- visible : x
- add 'signOn' action :
- title : "Sign on"
- id : "sign_on"
- url (expression) : "string:${portal_url}/liberty/signOn"
- condition : "not:member"
- permission : "(none)"
- category : "user"
- visible : x
Adding a user token entry for user (Optional)
---------------------------------------------
- From portal instance, acl_users, select the liberty plugin
- Choose "Liberty tokens", from panel options
- In the "User Tokens" section, choose a user id from the selection and click "Add" button
- User can now sign on and federate by giving the user token when asked
Accessing your brand new website
--------------------------------
Let's say your portal name is "MyPlone".
- If you use Debian packages, go to : http://localhost:9673/MyPlone/
- Otherwise go to : http://localhost:8080/MyPlone/
You will see the "sign on" button in the top right menu.
LibertyAuthPlugin is copyrighted by Entr'ouvert and is licensed through the GNU General Public Licence.
