Hi all,
I have a sso mechanism already implemented thaty works perfect with redirects (site A redirects to SSO for login which takes it back to A after successful login)
now I want to implement a set of web services to achieve the same functionality but without having to post back to the SSO service.
The login works in the following way (all comms through https):
User enters login information Login information are passed to the SSO service if login is successful the sso marks user as logged in and returns a secure token The app receives the token and validates it against sso if token is valid (can be decrypted and decoded and is not expired) then the sso returns a json with the user details back to the application
First of all am I right to believe that this is fairly secure? do you see any obvious flaws here?
The second bit of my question is how do i change this model to work for account registrations? i was thinking that the user requests an action (say register) and the sso returns a token which the app receives and passes it as a parameter to the actual register request. the sso validates and performs operation. Is this fair? my main question is where do i store this secure token to validate on the next user request? could it be a cookie?
Thanks a lot.