SSO in webpages

Question

I would like to know what's the best technique to do single sign-on in web sites. It means that if you enter in more than one website, you will be authenticated in a "transparent" way. I'm using php + curl to set the cookies for the different sites, but i really would like to know if does exist a standard way to do it.

Answer 1

You could also take a look at OpenId. This is the same mechanism used for logging into stackoverflow and features a "global" single sign-on.

I believe there are php libraries available to integrate with it.

You could also take a look at this question.

Answer 2

For a standard secure way you need :

• an authentication server
• an authentication filter on each site that need SSO

The mechanism is a little bit complex, it involves http redirects and secure authentication tickets. You will find detailled explanation on the CAS website (a popular java SSO server).
I recommend to read this page "CAS Java Client Gateway Example", especially the sequence diagram at the bottom of the page.

Answer 3

The best way is to use Image tags which pull an image stream from your external sites.

So if you're at www.some-site.com and you want to also be signed into www.some-partner-site.com you have this displayed after logging in:

Because you're using an Image it forces the browser to "pull in" the contents of that URL.

I've recently built a solution which does it with ASP.NET but we also have a php-based partner site.

What image displayed is irrelivant, really you should not display any image at all (hence the 1x1 size)