Best Practices for Building a SSO System

Question

I am looking to build a Single-signon system for a couple web apps that used form based authentication.

They way that I envision it is that my sso system would handle authentication against active directory pass the verification through to the desired web app when ever the used clicked a link through my sso portal.

What might be the best way to build something like this?

Answer 1

Check out JA-SIG CAS. Even if you build your own, you should look at their architecture for ideas on how to implement.

Answer 2

When a user accesses an application URL without a session cookie, he is redirected to the SSO system. He then logs into the SSO form, which then redirects him back to your app with a ticket ID that you can look up in the SSO system to get cridentials.

Also, take a look at Crowd and CAS.