I'm writing a web based application that will have its own authorization/authentication mechanism (traditional cookie/session based user/pass). However, depending on the organization that licenses the software, I want them to be able to plug in their own existing internal authentication system as a way to replace mine. Ideally, they'd have to run as little code as possible on their end; I'm trying to make this a mostly hosted service. I'm aware of the existence of OAuth, but don't entirely understand how I would go about implementing the system at a higher level. Any tips would be appreciated.
+1
A:
What platform are you developing for? PHP, Java, .NET, or other?
You should look into SAML and OpenID in addition to OAuth. These protocols are used for website to website authentication, more often than OAuth, which is mainly used for client applications on the desktop/mobile. It can be used but this is what people tend to use it for.
In general you are considered to be the service provider. The other organizations are identity providers. In SAML you would redirect a user to the identity provider who would authenticate (and possibly authorize) a user. They would be redirected back to the service provider which would then be able to log them in.
See the links from another post of mine for links to protocol documentation. Google Apps also have a good diagram of single sign-on with SAML in action.
BrianLy
2010-04-07 18:29:48
Thanks for the reply. The templating is done in PHP, but most of the data processing is done in Java. I'll probably be using PHP for the auth stuff. I'd hope there are client libs for most mainstream languages however?I did notice your other post, and was hoping you'd reply :)Also, I should mention this is a mobile web app and will eventually need to support native apps too.
Karan
2010-04-07 23:18:45