Use Paypal IPN concept for secure single sign on?

Question

I have two completely separate websites that are on separate servers. When logging into website "A", I would like them to be already authenticated for website "B", so that if the user goes to website B, they are already authenticated. I also plan to put an iframe on website A of website B and authentication should have already happened within the iframe using parameters in the iframe URL or cookies.

Is there a way to use the Paypal IPN concept to do single-signon in this case? If the iframe URL has the username and website "A"'s partner code, the website "B" will hear the URL request, communicate with the partner code's IPN link, then website "A" will retrieve a token from website "B" and store to the user's cookie.

Does this make sense in terms of working and security? Any advise or experience would be greatly appreciated!

Answer 1

Actually, Microsoft's Windows Identity Foundation(WIF) works in quite a similar way, only you don't really need any IPN.
I suggest you do a bit of reading about it.
However, it might be overcomplicated for you to implement WIF, as it either requires using Active Directory, or creating your own Identity Service which is quite an overkill.

You can, nevertheless implement something similar:
User authenticates on site A, gets a cookie(assuming both sites can share cookies in one way or another) containing the authentication information(Identity + time or whatever), signed/encrypted with A's private key.
Than, B will use A's public key to decrypt/verify the said cookie, and see whatever credentials the client has.