How do I use repoze.who/repoze.what with SPNEGO?

Question

I'm trying to do single sign-on (SSO) with an intranet web application written in Pylons and I'd like to use repoze.what for authorization. I have Apache configured with mod_sspi and it correctly authenticates the user and sets the REMOTE_USER environment variable. However, I can't figure out how to convince repoze.who that the user is, indeed, authenticated.

I tried creating an Identifier that looks like this:

class NtlmIdentifier(object):     
    def identify(self, environ):           
        if environ['AUTH_TYPE'] == 'NTLM':
            return { 'repoze.who.userid': environ['REMOTE_USER'] }

        return None

    def remember(self, environ, identity):
        pass

    def forget(self, environ, identity):
        pass

And registering the middleware later on like this:

return setup_auth(app, groups, permissions, identifiers=identifiers, authenticators=[], challengers=[])

But it seems that my identifier's identify method is never called by the framework.

How do you integrate SPNEGO/SSPI with repoze.who and repoze.what?

Answer 1

When the REMOTE_USER variable is set beforehand (e.g., by the web server), repoze.who won't do anything, not even call the registered plugins.

As for repoze.what v1, because it is set up from a repoze.who plugin, this means the repoze.what credentials won't be available and therefore the user would always be anonymous; this won't be a problem in repoze.what 2 (under development).

To make everything work as you expect, you can keep the identifier you wrote and pass the remote_user_key argument to setup_auth:

return setup_auth(app, groups, permissions, remote_user_key=None, identifiers=identifiers, authenticators=[], challengers=[])

HTH.