Single Sign On across multiple domains

Question

Our company has multiple domains set up with one website hosted on each of the domains. At this time, each domain has its own authentication which is done via cookies.

When someone logged on to one domain needs to access anything from the other, the user needs to log in again using different credentials on the other website, located on the other domain.

I was thinking of moving towards single sign on (SSO), so that this hassle can be eliminated. I would appreciate any ideas on how this could be achieved, as I do not have any experience in this regard.

Thanks.

Edit: The websites are mix of internet (external) and intranet (internal-used within the company) sites.

Answer 1

This sounds like a job for OpenID - but only allow IDs from your sign-in domain.

Answer 2

we implemented open authentication for all our domains that way when you sign in into one of them you are signed in into all

Answer 3

If you use Active Directory you could have each app use AD for authentication, login could then be seamless.

Otherwise, if the applications can talk to each other behind the scenes, you could use sessionids and have one app handling id generation serving all of your other applications.

Answer 4

This is how we used do it, although I think it's a bad idea.

All of our domains had a /login directory with a PHP script that sets the cookies and session variables for that domain. We also had a list of domains. Whenever you log into one, you get logged into them all because we use an image tag that calls each of the PHP scripts.

However, we have migrated to using JSON and I'm not familiar with how the new script works.

Answer 5

How different are the host names?

These hosts can share cookies.

• mail.xyz.com
• www.xyz.com
• logon.xyz.com

But there can not.

• abc.com
• xyz.com
• www.tre.com

In the former case you can bang out a cookie based solution. Think GUID and a database session table.

Answer 6

The best solution is to implement SSO using Lasso, and I strongly suggest you look at that. If you decide it's overkill for what you need then I concur with Neall and suggest you use OpenID.

Answer 7

The SSO solution that I've implemented here works as follows:

1. There is a master domain, login.mydomain.com with the script master_login.php that manages the logins.
2. Each client domain has the script client_login.php
3. All the domains have a shared user session database.
4. When the client domain requires the user to be logged in, it redirects to the master domain (login.mydomain.com/master_login.php). If the user has not signed in to the master it requests authentication from the user (ie. display login page). After the user is authenticated it creates a session in a database. If the user is already authenticated it looks up their session id in the database.
5. The master domain returns to the client domain (client.mydomain.com/client_login.php) passing the session id.
6. The client domain creates a cookie storing the session id from the master. The client can find out the logged in user by querying the shared database using the session id.

Notes:

• The session id is a unique global identifier generated with algorithm from RFC 4122
• The master_login.php will only redirect to domains in its whitelist
• The master and clients can be in different top level domains. Eg. client1.abc.com, client2.xyz.com, login.mydomain.com

Answer 8

Don't re-invent the wheel. There are a number of open source cross-domain SSO packages such as JOSSO, OpenSSO, CAS, Shibboleth and others. If you're using Microsoft Technology throughout (IIS, AD), you can use microsoft federation (ADFS) instead.

Answer 9

There are plenty of platform neutral third party technologies that provide this capability for free. Considering how ubiquity is an important criteria for federated login, you should consider one or more of these offerings; Open ID, Google Friend Connect, Facebook Connect. I have blogged on choosing the right single sign in provider in more detail.