{ "info": { "author": "David Beitey", "author_email": "david@davidjb.com", "bugtrack_url": null, "classifiers": [ "Environment :: Web Environment", "Framework :: Plone", "Framework :: Plone :: 4.2", "Framework :: Plone :: 4.3", "Framework :: Zope2", "Operating System :: OS Independent", "Programming Language :: Python", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Topic :: Software Development :: Libraries :: Python Modules" ], "description": ".. contents::\n\nIntroduction\n============\n\nThis package provides the ability for Plone users to log into a site via\nShibboleth, making use of the Shibboleth `Embedded Discovery Service`_ (EDS).\nThis allows Plone to be a Shibboleth Service Provider (SP) and self-host a\ndiscovery service on the Plone login page. A running Shibboleth responder,\nconfigured to provide a JSON Discovery Feed (``DiscoFeed`` handler) is\nrequired to populate the EDS listing.\n\n.. _Embedded Discovery Service: https://wiki.shibboleth.net/confluence/display/EDS10/\n\nIn Action\n=========\n\n.. image:: https://github.com/collective/collective.shibboleth/blob/master/docs/screenshot.png?raw=true\n :scale: 75%\n :alt: EDS login portlet within Plone.\n\n``collective.shibboleth``'s EDS portlet in action, being used with the\nAustralian and New Zealand Access Federations. The icons shown will\nautomatically display an organisation's logo if provided within SAML metadata.\nAt present, neither of these example federations support the relevant\n`metadata extensions\n`_\nand default to showing no logo.\n\n\nFeatures\n========\n\n* Provides fully-configurable Shibboleth EDS login portlet\n* Hosts Shibboleth EDS resources from within Plone\n* Integrates Shibboleth EDS styles with Plone's default Sunburst theme\n* Changes Plone's login page to be pluggable via\n ``collective.pluggablelogin``.\n* Assigns a default Shibboleth EDS login portlet to the pluggable login page.\n* Modifies login link to prevent login form appearing in an overlay, because\n the portlet requires JavaScript.\n* Adds a ``Shibboleth Authenticated`` role into Plone.\n* Assigns the ``Shibboleth Authenticated`` role to all users logging in\n using this method.\n* Alerts the user on first login as to their local account's password.\n Plone's PAS requires users have a password, and this allows Shibboleth users\n to access Plone via WebDAV, FTP and other non-federation methods.\n\nInstallation\n============\n\nInstallation with Plone follows the standard practice of modifying your\nBuildout configuration like so, adding this package to your list of eggs::\n\n [instance]\n recipe = plone.recipe.zope2instance\n ...\n eggs +=\n collective.shibboleth\n\nRe-run Buildout, restart Plone and activate the add-on. This will configure a\ndefault Shibboleth portlet on your login page. You now need to ensure your\nShibboleth responder is configured accordingly, see `Technical details`_.\n\n.. note::\n\n The default Shibboleth EDS currently switches language based upon the\n user's settings in their browser. The default language setting in the\n Shibboleth portlet within Plone configures the the current site settings as\n default when the user's language isn't available. Note that language\n support for the EDS is currently limited so you may need to adjust the\n portlet's setting to pick a suitable fallback.\n\nYou may use Plone's GenericSetup infrastructure within another package or site\npolicy product to either reconfigure this default portlet or to create your\nown.\n\n\nTechnical details\n=================\n\nYour webserver and Shibboleth Service Provider (SP) must be configured in two ways:\n\n* With a Discovery Feed for the EDS. See `Configuring Shibboleth for the\n EDS`_; and\n* To handle the login process and feed user attributes to Plone. See\n `Shibboleth authentication configuration`_\n\n\nConfiguring Shibboleth for the EDS\n----------------------------------\n\nFollow the instructions on the Shibboleth Wiki at\nhttps://wiki.shibboleth.net/confluence/display/EDS10/3.+Configuration under\n*Configuing the Service Provider*. Your configuration may need to differ\nfrom the instructions given. The one mandatory configuration step is setting\nup the ``DiscoveryFeed`` handler.\n\nYour EDS configuration options (set in ``idpselect_config.js``) are\nconfigured within Plone when you create the Shibboleth EDS portlet.\n\n\nShibboleth authentication configuration\n---------------------------------------\n\nThere are two ways you can authenticate users to your site using Shibboleth:\neither actively, by forcing a session for certain resources, or passively, by\nonly passing through authentication information if a session exists. More\ninformation about this in terms of Shibboleth can be found at\nhttps://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPProtectContent.\n\nIn a Plone context, using ``collective.shibboleth``, you thus have two choices:\n\n#. Configure Shibboleth and your front-end webserver to be **passively** aware\n of your application. After an authentication session has been created,\n session details will automatically be added to incoming requests for Plone\n to accept; or\n\n#. Configure Shibboleth and your front-end webserver to **require** a session\n for all or part of your site's URLs. When a user visits the relevant URL\n or path, authentication will be requested and the user redirected to the\n relevant Discovery Service.\n\n\nHow Plone handles this authentication\n-------------------------------------\n\nThe first option above is able to be more seamless as you can utilise a EDS\nlogin portlet inside Plone, rather than having a jarring jump to a Discovery\nService or WAYF page.\n\nBy default, the underlying PAS plugin (``Products.AutoUserMakerPASPlugin``)\nthat listens for Shibboleth headers is configured to accept these on *any* site\nURL. For a default Plone install, a ``plone.session`` PAS plugin is configured\n(the one that normally handles authentication), and this will create a session\nand take over authentication from here on out whilst a user is logged in. \n\nTo most efficiently manage this, the suggestion is to configure Shibboleth to\nprotect just the ``logged_in`` view for Plone, and configure this URL as the\nreturn point (either via the EDS portlet, or via a URL parameter). The EDS\nportlet will default to this automatically (but can be customised). This way,\nyou can be sure that Shibboleth attributes will only be passed into Plone when the user\naccesses this specific path. As this path is typically only used during login,\nyou'll be reducing the load time and processing required for the rest of the\nuser's session.\n\nThe suggested flow is thus:\n\n#. Configure Shibd Discovery Handler and protect ``/logged_in`` path with\n Shibboleth.\n#. Install this package in Plone and configure the Shibboleth EDS portlet on\n the pluggable login page.\n\nNow, when the user comes along:\n\n#. User clicks ``Login`` in Plone\n#. User is shown the EDS portlet, consisting of a list of Identity Providers\n (IdPs)\n#. User selects an IdP and is taken to the IdP login page, or redirected\n transparently if the user is already authenticated with their IdP.\n#. User is redirected back to Plone and logged in automatically. Behind the\n scenes, Shibboleth has injected the attributes into the user's request to\n ``logged_in`` and ``Products.AutoUserMakerPASPlugin`` has created that user\n an account.\n\nThe user's session has now been created and they're ready to use Plone without\nrelying on Shibboleth attributes.\n\n.. note::\n\n This configuration may or may not suit your requirements depending on your\n site, security needs or federation. This packages endeavours to fit all\n requirements so please raise an issue about your specific situation.\n\n For example, if you require that your user's authentication in Plone is\n *directly* tied to their Shibboleth session, then you'll need to disable\n the Plone session plugin's ability to ``authenticateCredentials`` and to\n configure the Shibboleth SP such that the entire Plone URL/path is\n protected.\n\n This will result in the upstream Shibboleth instance passing along\n authentication headers for every request. Note that this is arguably\n ineffecient since both the Shibboleth SP and Plone's user setup machinery\n are being invoked or consulting for each and every request.\n\n\nAbout the included Embedded Discovery Service (EDS)\n---------------------------------------------------\n\nThis package uses the Shibboleth EDS as provided by the main Shibboleth\nproject. Distributions of the EDS are available at\nhttp://download.opensuse.org/repositories/security:/shibboleth/ and the source\nis available from\nhttp://git.shibboleth.net/view/?p=js-embedded-discovery.git;a=summary.\n\nThe EDS is configurable as the Shibboleth login portlet. This portlet can be\nadded to any page, though is most useful on the pluggable login page that is\nconfigured by this package.\n\nThe included EDS distribution has been customised using the included patch\nfile (``src/collective/shibboleth/browser/shibboleth-ds-plone.patch``) in the\nfollowing ways:\n\n* Allow configuration of the EDS using a ``data-options`` attribute on the\n DOM element. Typically, the configuration function had to edited by hand.\n* Adjust or remove some styles that conflict with Plone's defaults.\n\nThe patch is primarily required because the ``idpselect_config.js`` file\nhard-codes a large structure of language information. We are working with the\nShibboleth project on improving their JavaScript and incorporating the patch\nback upstream.\n\nFor now, to reapply the patch to a new version of the EDS, do::\n\n cd src/collective/shibboleth/browser/\n patch -p5 < shibboleth-ds-plone.patch\n # Commit the result once patch is checked\n\n\nUpdating the EDS in this package\n================================\n\nIn order to update the EDS JavaScript widget, update the submodule at\n``./src/collective/shibboleth/browser/js-embedded-discovery`` and commit the\nchange in tracked versions to this repository.\n\nYou then need to build the EDS and place the compiled files into the relevant\nlocation in this package::\n\n cd src/collective/shibboleth/browser/js-embedded-discovery\n make kit\n cp -R shibboleth-embedded-ds-*/*{nonminimised,gif,js,css} ../shibboleth-ds/\n make clean\n\nNow, go and update the change log for ``collective.shibboleth`` and commit the\nresults.\n\n\nDavid Beitey, Author\n\nChangelog\n=========\n\n1.3 (2018-12-05)\n----------------\n\n- Add zope.formlib to dependencies for Plone 5.x.\n [timo]\n\n\n1.2 (2016-01-21)\n----------------\n\n- Further fix query string parsing in the EDS.\n [davidjb]\n- Add EDS (now hosted in Git) as a submodule for tracking.\n [davidjb]\n- Changed `various` import step to be ZCML configured.\n [davidjb]\n\n\n1.1.2 (2015-06-19)\n------------------\n\n- Fix issue with users not returning to ``came_from`` URL if they were\n prompted to login. This fix will be incorporated upstream in the EDS\n shortly.\n [davidjb]\n\n\n1.1.1 (2015-05-20)\n------------------\n\n- Minor changes to readme and package description.\n [davidjb]\n\n\n1.1 (2015-05-20)\n----------------\n\n- Nothing changed yet.\n\n\n1.0 (2015-05-20)\n----------------\n\n- Upgrade EDS to r157 for recent bug fixes.\n [davidjb]\n- Assign a portlet onto the Pluggable Login page on installation.\n [davidjb]\n- Change from a Embedded WAYF to Shibboleth's EDS.\n [davidjb]\n- Remove old ``collective.aaf`` code from this package; that package now\n depends on this one.\n [davidjb]\n- Refactor from ``collective.aaf``, and turn collective.aaf into an AAF-specific\n layer on top of this package.\n [davidjb]", "description_content_type": "", "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/collective/collective.shibboleth", "keywords": "plone discovery service shibboleth authentication", "license": "gpl", "maintainer": "", "maintainer_email": "", "name": "collective.shibboleth", "package_url": "https://pypi.org/project/collective.shibboleth/", "platform": "", "project_url": "https://pypi.org/project/collective.shibboleth/", "project_urls": { "Homepage": "https://github.com/collective/collective.shibboleth" }, "release_url": "https://pypi.org/project/collective.shibboleth/1.3/", "requires_dist": null, "requires_python": "", "summary": "Authentication integration layer for Shibboleth's Embdedded Discovery Service (EDS) and Plone", "version": "1.3" }, "last_serial": 4563589, "releases": { "1.0": [ { "comment_text": "", "digests": { "md5": "ffcb87bf7cde7499c0a559cbaffba938", "sha256": "237488bb61eec1fd29418dcd8a3406a0f64c1da2d5c4819468a1578000ab544a" }, "downloads": -1, "filename": "collective.shibboleth-1.0.zip", "has_sig": false, "md5_digest": "ffcb87bf7cde7499c0a559cbaffba938", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 80715, "upload_time": "2015-05-20T03:02:08", "url": "https://files.pythonhosted.org/packages/97/5a/554056ffa129cd53bf136a9bfefe99466e1fda8994c2f7a329a352988a4b/collective.shibboleth-1.0.zip" } ], "1.1": [ { "comment_text": "", "digests": { "md5": "8833f73536fc97714213e026df3427f2", "sha256": "5fb45a9d3abd597d1de1137770c44960dd4356b1892a2a52f382dcc93373c1ed" }, "downloads": -1, "filename": "collective.shibboleth-1.1.zip", "has_sig": false, "md5_digest": "8833f73536fc97714213e026df3427f2", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 80752, "upload_time": "2015-05-20T03:10:05", "url": "https://files.pythonhosted.org/packages/5c/73/a7b0dbec3ae3bdc476467dffbd6a14716349873e1e9a04562163e4756373/collective.shibboleth-1.1.zip" } ], "1.1.1": [ { "comment_text": "", "digests": { "md5": "9b6ba781b556ce02640e9153ad852f3d", "sha256": "5d2dc49711ec878f3b0c3542a2c319a9a054cf6810c21916b60bdf1c1ae33c0c" }, "downloads": -1, "filename": "collective.shibboleth-1.1.1.zip", "has_sig": false, "md5_digest": "9b6ba781b556ce02640e9153ad852f3d", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 97891, "upload_time": "2015-05-20T03:48:58", "url": "https://files.pythonhosted.org/packages/c7/84/ffa93d18c2967a179c13fb951e3010ce3511a348cf4497d59fc95bc8a9c4/collective.shibboleth-1.1.1.zip" } ], "1.1.2": [ { "comment_text": "", "digests": { "md5": "e924c9670fb4c3f3cd5711722dedd31c", "sha256": "8839a54bb222cd88bc2e490c9652d097b413c3633300e5733cc7f1b042ee841b" }, "downloads": -1, "filename": "collective.shibboleth-1.1.2.zip", "has_sig": false, "md5_digest": "e924c9670fb4c3f3cd5711722dedd31c", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 99016, "upload_time": "2015-06-19T04:48:41", "url": "https://files.pythonhosted.org/packages/18/9d/e302d344672a0ee5d302afb03447e5dcc4038988477f67db29d1bd6ce5f1/collective.shibboleth-1.1.2.zip" } ], "1.2": [ { "comment_text": "", "digests": { "md5": "690996dc9777f87abd97842e3514fa47", "sha256": "c765620483d16b26a028d173c49567224abb0634bd09e8a7ab4193ae6e2e9a01" }, "downloads": -1, "filename": "collective.shibboleth-1.2.zip", "has_sig": false, "md5_digest": "690996dc9777f87abd97842e3514fa47", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 97746, "upload_time": "2016-01-21T06:07:17", "url": "https://files.pythonhosted.org/packages/99/95/fc4da476821e58643be22eb365255d38417cf9dcacd3fa64fc94a1f27bda/collective.shibboleth-1.2.zip" } ], "1.3": [ { "comment_text": "", "digests": { "md5": "42db7c2e92cd8156ec140c92a4b907b5", "sha256": "fa74ec9311c76865bb72dbb794f6a844d624195707063c60c34400d4217164f3" }, "downloads": -1, "filename": "collective.shibboleth-1.3.tar.gz", "has_sig": false, "md5_digest": "42db7c2e92cd8156ec140c92a4b907b5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 83673, "upload_time": "2018-12-05T12:29:41", "url": "https://files.pythonhosted.org/packages/b5/6c/319556fae84839af648ed2cf9265f7c49a3aa2b506f555cbdbe0d3a50374/collective.shibboleth-1.3.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "42db7c2e92cd8156ec140c92a4b907b5", "sha256": "fa74ec9311c76865bb72dbb794f6a844d624195707063c60c34400d4217164f3" }, "downloads": -1, "filename": "collective.shibboleth-1.3.tar.gz", "has_sig": false, "md5_digest": "42db7c2e92cd8156ec140c92a4b907b5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 83673, "upload_time": "2018-12-05T12:29:41", "url": "https://files.pythonhosted.org/packages/b5/6c/319556fae84839af648ed2cf9265f7c49a3aa2b506f555cbdbe0d3a50374/collective.shibboleth-1.3.tar.gz" } ] }