openerp-community team mailing list archive

Thread
Date

Re: OpenERP SSO integration

To: openerp-community@xxxxxxxxxxxxxxxxxxx
From: Stefan Rijnhart <stefan@xxxxxxxx>
Date: Mon, 27 Jun 2011 11:49:22 +0200
In-reply-to: <20110623182053.31818.55539.launchpad@soybean.canonical.com>
User-agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110424 Lightning/1.0b2 Thunderbird/3.1.10

On 23-06-11 20:20, Levente Bokor wrote:

Hi all,

Has anyone experience with implementing SSO in OpenERP or did anyone
come across an SSO module for OpenERP v6.x?


Hi Levente,

if your authentication scheme is supported by Apache, you can use Apacheproxy + web client. We have experimented with a set of patches thatallow the web client to delegate authentication to Apache. This opens upthe way to passwordless authentication to a Windows domain or a Linuxkerberos server as well as OpenID. Login is performed based on a sharedsecret known to the OpenERP server and the web client.

Our patches are quite simple, but they do not address all of thesecurity issues. For one, as the web client logs users in when it findsa particular header containing the user name, the web client should onlybe accessible through the Apache proxy or else the header could be forged.

The OpenERP server patch can be made into a separate module. The webclient patch cannot be made into a V6.0 web addon, but it looks like itmight be possible for V6.1. If there is any demand for it, I can try tofind the time to post a blog containing both patches later this week,although I would prefer to wait for the OpenID code from OpenERP to showup and try to hook into that as it probably addresses many of the sameissues.


Cheers,
Stefan.

--
Therp - Maatwerk in open ontwikkeling

Stefan Rijnhart - Ontwerp en implementatie

mail: stefan@xxxxxxxx
tel: +31 (0) 614478606
web: http://therp.nl

References

OpenERP SSO integration
From: Levente Bokor, 2011-06-23