SSO

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

SSO

landry
Hi everybody.  I want to perform single sign-on for web applications (Alfresco and odoo) using shibboleth.  But I can't do it.  Who to help me?  thank you in advance

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]
Reply | Threaded
Open this post in threaded view
|

Alfresco, OpenERP/Odoo integrations (was: Re: SSO)

Peter Schober
* Landry BIAO <[hidden email]> [2019-12-16 00:42]:
> Hi everybody.  I want to perform single sign-on for web applications
> (Alfresco and odoo) using shibboleth.  But I can't do it.

Well, noone here is going to do it for you just because you "can't".
(With the possible exception of you hiring someone.)

From a technical standpoint it's not even clear what you're asking:
About integrating the Shibboleth SP software with those applications?
Or merely "using" a Shibboleth IDP (as an instance of any SAML IDP)
with SAML SP integrations that may exist for these applications
(possibly only as part of their "enterprise" versions)?

As often is the case none of these integrations seem overly obvious
(especially not for newcomers) and there's no guide for them yet at:
https://wiki.shibboleth.net/confluence/display/KB/IntegrationGuides

So fully aware that everything below will not be of much help to you
here's my take on these two applications -- not that anyone is going
to find that burried in a thread with the meaningless subject "SSO":

Alfresco
========

Alfresco claims support for SAML WebSSO:
https://docs.alfresco.com/sso/topics/saml.html
though that seems rather limited (as usual).
So this seems like an excercise in following their documentation (to
extract their own requirements) and the documentation of the
Shibboleth IDP (on how to satisfy conctete technical requirements).

But Alfresco also has support for "external authentication"
https://docs.alfresco.com/5.2/concepts/auth-basics.html
In conjunction with httpd and mod_proxy_ajp this should allow use of
the Shibboleth SP with Alfresco. (Which would certainly be my own
preference because I know how to use httpd and Shibboleth.)

OpenERP/Odoo
============

Odoo isn't the easiest to integrate SAML with, from a quick look.
It seems you can buy a SAML SSO module (random search result):
https://apps.odoo.com/apps/modules/11.0/auth_saml/
that uses Entr'ouvert's LASSO.

Other than that it's a Python web application using the 'Werkzeug'
WSGI library, so while their documentation at
https://www.odoo.com/documentation/13.0/setup/deploy.html#builtin-server
mentions:
"Odoo includes built-in HTTP servers, using either multithreading or
multiprocessing."
you can also run it with a WSGI application server of your choice:
https://www.odoo.com/documentation/13.0/setup/deploy.html#odoo-as-a-wsgi-application

That latter approach would allow use of Apache httpd as both TLS
terminator and web server, with uWSGI (which has a good httpd
integration via mod_proxy_uwsgi) or mod_wsgi as application servers
respectively. Both allow use of environment variables set by the
Shibboleth SP, though how Odoo can be made to accept/consume those
would require a closer look.

Other than that Odoo also allows proxying via HTTP (and passing
attributes via HTTP Request Headers to Odoo's own HTTP server)
https://www.odoo.com/documentation/13.0/reference/cmdline.html#http
though that approach is not recommended by the Shibboleth project.

-peter

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to [hidden email]