Single Sign On across multiple domains?

The SSO solution that I've implemented here works as follows: There is a master domain, login.mydomain. Com with the script master_login. Php that manages the logins Each client domain has the script client_login.

Php All the domains have a shared user session database When the client domain requires the user to be logged in, it redirects to the master domain (login.mydomain. Com/master_login. Php).

If the user has not signed in to the master it requests authentication from the user (ie. Display login page). After the user is authenticated it creates a session in a database.

If the user is already authenticated it looks up their session id in the database The master domain returns to the client domain (client.mydomain. Com/client_login. Php) passing the session id The client domain creates a cookie storing the session id from the master.

The client can find out the logged in user by querying the shared database using the session id Notes: The session id is a unique global identifier generated with algorithm from RFC 4122 The master_login. Php will only redirect to domains in its whitelist The master and clients can be in different top level domains. Eg.

Client1.abc. Com, client2.xyz. Com, login.mydomain.com.

The SSO solution that I've implemented here works as follows: There is a master domain, login.mydomain. Com with the script master_login. Php that manages the logins.

Each client domain has the script client_login. Php All the domains have a shared user session database. When the client domain requires the user to be logged in, it redirects to the master domain (login.mydomain.Com/master_login.

Php). If the user has not signed in to the master it requests authentication from the user (ie. Display login page).

After the user is authenticated it creates a session in a database. If the user is already authenticated it looks up their session id in the database. The master domain returns to the client domain (client.mydomain.

Com/client_login. Php) passing the session id. The client domain creates a cookie storing the session id from the master.

The client can find out the logged in user by querying the shared database using the session id. Notes: The session id is a unique global identifier generated with algorithm from RFC 4122 The master_login. Php will only redirect to domains in its whitelist The master and clients can be in different top level domains.

Eg. Client1.abc.Com, client2.xyz. Com, login.mydomain.com.

This looks like a good solution grom. What do you store in the databse? Is it (session_id, username, hashed_password)?

– Jenkz Mar 23 '10 at 11:41 How do you handle the case whare the master domain login.mydomain. Com goes down? Is login impossible at that point?

– PsychoDad Mar 8 at 0:46.

Don't re-invent the wheel. There are a number of open source cross-domain SSO packages such as JOSSO, OpenSSO, CAS, Shibboleth and others. If you're using Microsoft Technology throughout (IIS, AD), you can use microsoft federation (ADFS) instead.

This sounds like a job for OpenID - but only allow IDs from your sign-in domain.

If you use Active Directory you could have each app use AD for authentication, login could then be seamless. Otherwise, if the applications can talk to each other behind the scenes, you could use sessionids and have one app handling id generation serving all of your other applications.

We implemented open authentication for all our domains that way when you .

These hosts can share cookies. Mail.xyz.Com xyz.com logon.xyz. Com But there can not.

Abc.Com xyz. Com tre.com In the former case you can bang out a cookie based solution. Think GUID and a database session table.

The best solution is to implement SSO using Lasso, and I strongly suggest you look at that. If you decide it's overkill for what you need then I concur with Neall and suggest you use OpenID.

There are plenty of platform neutral third party technologies that provide this capability for free. Considering how ubiquity is an important criteria for federated login, you should consider one or more of these offerings; Open ID, Google Friend Connect, Facebook Connect. I have blogged on choosing the right single .

This is how we used do it, although I think it's a bad idea. All of our domains had a /login directory with a PHP script that sets the cookies and session variables for that domain. We also had a list of domains.

Whenever you log into one, you get logged into them all because we use an image tag that calls each of the PHP scripts. However, we have migrated to using JSON and I'm not familiar with how the new script works.

I cant really gove you an answer,but what I can give you is a way to a solution, that is you have to find the anglde that you relate to or peaks your interest. A good paper is one that people get drawn into because it reaches them ln some way.As for me WW11 to me, I think of the holocaust and the effect it had on the survivors, their families and those who stood by and did nothing until it was too late.

Related Questions