SSO, Facebook connect, User profile merging.

Question

I have an application which has an internal SSO implemented with it's sister sites; using a CAS implementation. It works fine and allows seamless transition for user between sites. (Though upon first visit to each site; user must provide some basic details to each site).

Now we want to go ahead and have facebook connect implemented or for that matter RPX Open Id. The problem is this, that currently system assumes that email id of user is unique. So following are some of the problems:

1. If we allow facebook connect then email id can no longer be unique. To remove that constraint, would be too expensive.
2. If we did allow user to login using facebook connect, what and kept a different user profile for him; problem occurs when he deviates to a sister site? How do we keep track of user profile without merging. Or even if we merge we cannot authenticate him without capturing application specific credentials from him.
3. Assuming he is logged into application SSO and facebook connect too; if we always give SSO the priority; it essentially means that facebook connect flows will have to be hidden from the logged in user; and it would mean a bad user experience.

I was just wondering maybe other people have also implemented facebook connect or open id on their websites; how do they handle merging of users; specifically if you have a SSO of your own already present on site.

Cheers

Answer 1

If you're using CAS you probably want to implement a custom CredentialsToPrincipalResolver which takes openid/facebook connect, looks at the email attribute, and attempts to resolve to an existing account if present - that way you use the external SSO system as a credential, just like any other token (say x509 or the like)