-
Notifications
You must be signed in to change notification settings - Fork 27
Plone
David Beitey edited this page May 10, 2016
·
1 revision
Plone 5 is fifteen years of stability wrapped in a modern, powerful user-centric package. It continues to set the pace for content management systems by offering the most functionality and customization out of the box.
Various resources online indicate that Plone can be served with FastCGI, but this is currently untested.
Plone can operate as normal, running on any given port with its HTTP server. Install and configure either collective.shibboleth for an Embedded Discovery Service (EDS) and/or manually configure Products.AutoUserMakerPASPlugin to listen for incoming headers.
# Only pass Shibboleth attributes through on accessing this login view
# You could configure the Shibboleth attributes to be passed to *all*
# parts of Plone by applying this config to `location /` and ensuring
# `shibboleth2.xml` is configured correctly.
location ~ .*/logged_in$ {
shib_request on;
shib_request_use_headers on;
more_clear_input_headers
Shib-Application-Id
Shib-Authentication-Instant
Shib-Authentication-Method
Shib-Authncontext-Class
Shib-Identity-Provider
Shib-Session-Id
Shib-Session-Index
Remote-User
persistent-id
Transient-Name
Auth-Type
commonName
email; # plus ALL other attributes you use/receive from Shibboleth
rewrite ^(.*)$ /VirtualHostBase/$scheme/$server_name:$server_port/plone/VirtualHostRoot$1 break;
proxy_pass http://localhost:8080;
}
location / {
more_clear_input_headers
Shib-Application-Id
Shib-Authentication-Instant
Shib-Authentication-Method
Shib-Authncontext-Class
Shib-Identity-Provider
Shib-Session-Id
Shib-Session-Index
Remote-User
persistent-id
Transient-Name
Auth-Type
commonName
email; # plus ALL other attributes you use/receive from Shibboleth
rewrite ^(.*)$ /VirtualHostBase/$scheme/$server_name:$server_port/plone/VirtualHostRoot$1 break;
proxy_pass http://localhost:8080;
}
### shibboleth2.xml
This is an example snippet from Shibboleth's configuration. This config doesn't force a session, allowing anonymous users to access the Plone site's public content, and only authenticating when the user is explicitly doing so (via the Shibboleth EDS [or a manual link to Shibboleth.sso]). You could force a Shibboleth session by changing `requireSession` to `true`.
```xml
...
<RequestMapper type="Native">
<RequestMap applicationId="default">
<Host name="domain.example.org" authType="shibboleth" redirectToSSL="443">
<Path name="/" requireSession="false" />
</Host>
</RequestMap>
</RequestMapper>