Plone & CGI single-sign-on using mod_auth_tkt

A couple of questions have had answers suggesting making use of mod_auth_tkt to allow Plone 4 (Plone and Asp.Net Integration, Use Plone's authentication mechanism to login to other sites.) to authenticate other web applications, and since I have a couple of CGIs that already jump through h开发者_JS百科oops to authenticate via Plone, this seems ideal for my purpose. However, I can't seem to find much documentation about using mod_auth_tkt in general, and absolutely none about using it with Plone.

I have the following problems.

1. mod_auth_tkt expects a shared "secret". mod_auth_tkt's examples show Apache getting this from a config file. Plone doesn't share its secrets - so how does Apache know that a given Plone cookie is a valid auth_tkt?
2. what url would one use in the Apache config TKTAuthLoginURL? [I'm not sure that's vital, as, at the moment, I'm only really interested in ensuring that something is invoked from inside plone, rather than directly as a cgi]
3. Apache expects the ticket cookie to be named via TKTAuthCookieName (default 'auth_tkt'). What does Plone call it? __ac?

The documentation on using mod_auth_tkt is a man page distributed with the source.

In answer to your specific questions:

1. In /Plone/acl_users/session. On the Manage secrets tab set a shared secret. (This is described in the documentation for setting up a shared secret with an IIS login form.) You should set the same secret in the Apache config with the TKTAuthSecret directive.

2. For Plone 4.0 (or Plone 3.x with plone.session 3.x) use /Plone/login_form. For Plone 4.1 use /Plone/login, assuming that the Plone site is hosted at /Plone. Use /login_form or /login if it is hosted at the root.

3. Plone uses _ac by default, so use TKTAuthCookieName "_ac". (The cookie name Plone uses is set in the acl_users session settings and cookie authentication settings.)

You might have to set TKTAuthBackArgName "came_from", though I think Plone will fallback to the referrer url so it may work without. And you will need to check the "Use mod_auth_tkt compatible hashing algorithm" option on the preferences tab of acl_users/session.

It turns out that there seems to be a conflict with pas.plugins.sqlalchemy. I've been investigating PPS, and while it doesn't seem that there should be any crossover, the site I was testing had PPS installed. When I switched to a site without PPS, setting the "secret" and the mod_auth_tkt flag had the desired effect. Since I seem to have fallen into the maintenance role for pas.plugins.sqlalchemy, I guess it's my problem :-)

Domo arigato, Mr. Rowe-boto!