[opencms-dev] OpenCms SSO Integration

Fabian Panthen fpa at unitb-consulting.de
Wed Mar 17 12:01:24 CET 2010

Hello List,

we are currently working on integrating OpenCms into an SSO Architecture.
This seems to be unnecessarily difficult.
Here's the picture:

In a regular SSO architecture, an SSO server handles Authentication and 
provides some form of mechanism to show other applications that a user 
has been authenticated.
Applications check for that, for instance a token, and authenticate the 
user automatically, trusting the SSO's decision that the user is to be 
We have been seraching the API for days now and so far have not sen a 
way to authenticate an OpenCms user without knowing his password.
This is said to be a security feature. But really a security feature is 
that an application should not ever need to know a users password at all!
If I am programming exntensions to a system with its API I obviously 
have access with administrative rights.
Hence I should be able to

a) create an admin enabled CmsObject without having to store the admin 
pasword somewhere
b) create user CmsObjects without having to know their password

The way the API seems to us currently, OpenCms can only be integrated 
into SSO if it handles the login itsself but not as a client to another 
login server.

So, dear list, what are your thoughts?
Have we simply overseen something, and actually we are able to do just 
that but were just to stupid to see so?
Or is this something that should be adressed in future versions of the API?
Anyone found a solution to this problem allready?

Kind regards,

Fabian Panthen



u n i t b  c o n s u l t i n g

Brunnenstr. 156

10115 Berlin

Tel:    +49 [0]30 44 31 92 00

Fax:    +49 [0]30 44 31 92 29

Mail:   office at unitb-consulting.de

Web:    http://www.unitb-consulting.de

Geschäftsführer: Nico Adam, Thomas Timm

Registergericht: AG Berlin-Charlottenburg - HRB 113607

Steuernummer: 37/249/21073

Ust-IdNr.: DE814984825

Diese E-Mail könnte vertrauliche und/oder rechtlich geschützte Informationen

enthalten. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail

irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und

vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte

Weitergabe dieser Mail sind nicht gestattet.

This e-mail may contain confidential and/or privileged information. If you

are not the intended recipient (or have received this e-mail in error)

please notify the sender immediately and destroy this e-mail. Any

unauthorised copying, disclosure or distribution of the material in this

e-mail is strictly forbidden.

More information about the opencms-dev mailing list