Hello, I would like to know what's the best technique to do single sign-on in web sites. It means that if you enter in more than one website, you will be authenticated in a "transparent" way. I'm using php + curl to set the cookies for the different sites, but i really would like to know if does exist a standard way to do it.
A:
The best way is to use Image tags which pull an image stream from your external sites.
So if you're at www.some-site.com and you want to also be signed into www.some-partner-site.com you have this displayed after logging in:
Because you're using an Image it forces the browser to "pull in" the contents of that URL.
I've recently built a solution which does it with ASP.NET but we also have a php-based partner site.
What image displayed is irrelivant, really you should not display any image at all (hence the 1x1 size)
Slace
2008-09-19 08:23:09
This doesn't solve the user's problem. It's merely a "technique" to "hint" the user to auth independently and separately at 2 sites. However, it's a risky policy as images are often not protected in the same way as pages in many webapps. Also the user can block the image and use the site for free.
Cheekysoft
2008-09-19 08:30:52
Thanks for the feedback, I hadn't thought of what happens when they disable images.But I did find that images were a good way to start a context on the partner site.
Slace
2008-09-19 11:41:50
If I'm not mistaken that is the process that wikimedia uses for their SSO into all wiki* sites.
Maxim Veksler
2009-09-13 08:26:35
+5
A:
For a standard secure way you need :
- an authentication server
- an authentication filter on each site that need SSO
The mechanism is a little bit complex, it involves http redirects and secure authentication tickets. You will find detailled explanation on the CAS website (a popular java SSO server).
I recommend to read this page "CAS Java Client Gateway Example", especially the sequence diagram at the bottom of the page.
Alexandre Victoor
2008-09-19 08:43:05
A:
You could also take a look at OpenId. This is the same mechanism used for logging into stackoverflow and features a "global" single sign-on.
I believe there are php libraries available to integrate with it.
You could also take a look at this question.
jan.vdbergh
2008-09-19 08:47:10
Not exactly. OpenID and Information Cards are single credentials, not single sign-on (well, in OpenID's case not unless you tell it to never prompt you)
blowdart
2008-09-19 08:49:41