I'm trying to do single sign-on (SSO) with an intranet web application written in Pylons and I'd like to use repoze.what for authorization. I have Apache configured with mod_sspi and it correctly authenticates the user and sets the REMOTE_USER environment variable. However, I can't figure out how to convince repoze.who that the user is, indeed, authenticated.
I tried creating an Identifier that looks like this:
class NtlmIdentifier(object):
def identify(self, environ):
if environ['AUTH_TYPE'] == 'NTLM':
return { 'repoze.who.userid': environ['REMOTE_USER'] }
return None
def remember(self, environ, identity):
pass
def forget(self, environ, identity):
pass
And registering the middleware later on like this:
return setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=[], challengers=[])
But it seems that my identifier's identify
method is never called by the framework.
How do you integrate SPNEGO/SSPI with repoze.who and repoze.what?
When the REMOTE_USER variable is set beforehand (e.g., by the web server), repoze.who won't do anything, not even call the registered plugins.
As for repoze.what v1, because it is set up from a repoze.who plugin, this means the repoze.what credentials won't be available and therefore the user would always be anonymous; this won't be a problem in repoze.what 2 (under development).
To make everything work as you expect, you can keep the identifier you wrote and pass the remote_user_key argument to setup_auth:
return setup_auth(app, groups, permissions, remote_user_key=None, identifiers=identifiers, authenticators=[], challengers=[])
HTH.