Pre-validating website users via a remote site

Question

Hi,

I need to work out a way to setup the validation of the users of a web application before they've actually arrived at the site. That is, someone browses to a url, enters a username and password which is then validated against a db or whatever. They are then automatically redirected to the real web application, on a different domain out across the internet, which is passed the details of the user and which then lets them through to the site without asking for the credentials again. And this must be done as securely as possible.

What are the options available for this sort of problem?

Thanks,

Answer 1

Look up OAuth or OpenID.

Answer 2

What you are describing is a typical use case of intern-domain web authentication. There are multiple ways to do it,

1. If both domains belong to the same application/company, you can just do your authentication and then pass some token/secret to the other domain in your redirect. The other domain can drop another cookie to maintain the session. This is practically how it's done between different domains all popular websites. For example, flickr.com uses yahoo.com to login.

2. You can use Identity Federation if the domains are closely related (partners). Most popular mechanism to achieve this is through SAML.

3. OpenID can also be used (That's how you arrived at this site) if the sites are loosely connected. OpenID uses arcane login URL so it only makes sense for tech-savvy users. The regular user may easily get confused by its complicated login process and consent page.

OAuth is an authorization scheme. It's not designed for federated login but you might be able to use it.