Enable SSO capability into an application

Question

I would like to enable SSO capability as a authentication provider into an web application. The use case being: I have got 2 applications. One is MAIN application and other is a REPORTING application deployed separately.

Once the user is authenticated by MAIN application, he should be allowed to login to REPORTING application as well.

I know about CAS or other 3rd party SSO providers. However, I would like to implement something in my MAIN application itself so that it providers SSO service to REPORTING application as well. Some kind of ticketing mechanism may be.

I am not sure where to start. Any pointers would be highly appreciated.

PS: Applications are on the Java EE platform.

do they share the same domain name eg. x.foo.com and y.foo.com share foo.com? — sourcedelica, Mar 19 '12 at 17:43
Unfortunately not. However, if I assume that they do, do you have a solution? — Husain Basrawala, Mar 20 '12 at 08:20
If they do then you can use a slight customization of the remember-me cookie (domain = foo.com, session-only). — sourcedelica, Mar 20 '12 at 13:20

score 0 · Answer 1 · edited May 23 '17 at 12:18

Because the applications are on different domains, cookies can't be used for storing the session, which is usually how web apps handle authentication.

If the user is expected to access the reporting application from within the main application (e.g., through a link), then you could append a security token to the link. The reporting application could call back to the main application to check that the token is valid. This SO article explains token-based authentication.

That being said, having implemented token-based security schemes in the past, I would say its easier to use a third-party solution if possible. CAS might be a good choice if it supports the features you need, as it runs as a standalone service with clients in many languages.

Enable SSO capability into an application

1 Answers1