2

I would like to know what's the best technique to do single sign-on in web sites. It means that if you enter in more than one website, you will be authenticated in a "transparent" way. I'm using php + curl to set the cookies for the different sites, but i really would like to know if does exist a standard way to do it.

Bob Aman
  • 32,839
  • 9
  • 71
  • 95
VP.
  • 5,122
  • 6
  • 46
  • 71

3 Answers3

7

For a standard secure way you need :

  • an authentication server
  • an authentication filter on each site that need SSO

The mechanism is a little bit complex, it involves http redirects and secure authentication tickets. You will find detailled explanation on the CAS website (a popular java SSO server).
I recommend to read this page "CAS Java Client Gateway Example", especially the sequence diagram at the bottom of the page.

Alexandre Victoor
  • 3,104
  • 2
  • 27
  • 27
  • If you want to setup very quickly a CAS server for tests, you can do it with a free CAS server from CAS in the cloud: http://www.casinthecloud.com – jleleu Jul 23 '14 at 17:52
-1

You could also take a look at OpenId. This is the same mechanism used for logging into stackoverflow and features a "global" single sign-on.

I believe there are php libraries available to integrate with it.

You could also take a look at this question.

Community
  • 1
  • 1
jan.vdbergh
  • 2,129
  • 2
  • 20
  • 27
  • Not exactly. OpenID and Information Cards are single credentials, not single sign-on (well, in OpenID's case not unless you tell it to never prompt you) – blowdart Sep 19 '08 at 08:49
-2

The best way is to use Image tags which pull an image stream from your external sites.

So if you're at www.some-site.com and you want to also be signed into www.some-partner-site.com you have this displayed after logging in:

Because you're using an Image it forces the browser to "pull in" the contents of that URL.

I've recently built a solution which does it with ASP.NET but we also have a php-based partner site.

What image displayed is irrelivant, really you should not display any image at all (hence the 1x1 size)

Aaron Powell
  • 24,927
  • 18
  • 98
  • 150
  • This doesn't solve the user's problem. It's merely a "technique" to "hint" the user to auth independently and separately at 2 sites. However, it's a risky policy as images are often not protected in the same way as pages in many webapps. Also the user can block the image and use the site for free. – Cheekysoft Sep 19 '08 at 08:30
  • Thanks for the feedback, I hadn't thought of what happens when they disable images. But I did find that images were a good way to start a context on the partner site. – Aaron Powell Sep 19 '08 at 11:41
  • If I'm not mistaken that is the process that wikimedia uses for their SSO into all wiki* sites. – Maxim Veksler Sep 13 '09 at 08:26