Multiple Domain Single Sign On

Question

I'm currently trying to join 2 web apps on different domains example1.com and ex.example2.net so that you can login to example1 and click on a link to example2 and be instantly signed in, as it would be more convenient for customers to just login the once and navigate between the sites.

I've researched various means ie. php sessions, openID, JOSSO and Kerberos, but what would be a secure and easy way to implement this?

Answer 1

You can have one application handle logins for both sites using php sessions.

example1.com user logs in and php session cookie is stored.

ex.example2.net check example1.com and validate session cookie. if it does not exist redirect to example1.com login page or a custom login page on example1.com. If it does exist, then log the user into ex.example2.net.

If you only want a link then you generate a hash and pass that to the second app once they have logged onto the first. If the hash validates, then log them in.

Answer 2

Kerbros is very extensive and for systems requiring high security. Its very difficult to work with, and even just setup over all, I would not suggest this route unless you know linux very well, and provided your hosting provider allows you that type of access over the machine.

Im not familiar enough with JOSSO or openID to comment well on those however.

Any php sessions are only good for the domain, and server the domain is on, kind of like cookies but not, though in all you would use them.

I think your easiest solution more so if the 2 sites are on the same hosting account/server. Is to have a database specific to this cause. What you would do is create a login system like you would normally but instead you would have 2 sites reading off this login. Aside from the normal login you would also have a session tracking table. Typically you already set sessions when users login to keep them logged in, and you'd do the same here, but you'd add a cookie into the equation one both sites can recognize and use to compare entries in this new table where your tracking your users. I'd say keep try by IP, Browser, and maybe a userID all in one cookie with a unique hash of some kind as well thats specific to the user based on something only the servers could recreate on the info they have for the user.

Of course I dumb it down in conceptual speak, its a little more elaborate than I make it out to be, but this would be your general stepping stones.

Also if the sites are independent of one another you could always create an API between them to pass info back and forth JSONP style so one can act as the hub for the login while the other just validates

But in all its all dependent of what your wanting to do overall how, when where, etc..

Answer 3

If it works for you, my suggestion would be to go the openID route. It's the easier way and it's secure enough. Besides, the registration process is easier and quicker to users too.

You can actually only allow IDs from your sign-in domains, if you prefer, making it pretty much a "private" login system.

There are downsides too... You don't have fine control over the registration process, you are dependent of openID authorization process... There are some problems that might happen if your host is not well configured (timezone differences, for instance).

But overall, it's a relatively secure system, easy to implement.

Kerberus is extremely secure but it's a nightmare to work with. Unless you're dealing with highly sensitive user information, like credit card numbers, or think your websites make apetizing targets for hacking I don't think it's worth your time.

Answer 4

I would use a database table that is shared between the two sites. If you go down the PHP session route don't try and just pass the session data from one site to the next on separate domains, it won't work. I found this post helpful many moons ago: Single Sign On across multiple domains