Cross Domain Login – How to log a user in automatically when transferred from one domain to another

by

Single sign-on (SSO) is conceptually pretty simple.

  • User hits domain1.com.
  • domain1.com sees there’s no session cookie.
  • domain1.com redirects to sso.com
  • sso.com presents login page, and take credentials
  • sso.com sets session cookie for the user
  • sso.com then redirects back to domain1 to a special url (like domain1.com/ssologin)
  • the ssologin URL contains a parameter that is basically “signed” by the sso.com. It could be as simple as a base64 of encrypting the loginid using a shared secret key.
  • domain1.com takes the encrypted token, decrypts it, uses the new login id to log in the user.
  • domain1 sets the session cookie for the user.

Now, the next case.

  • User hits domain2.com, which follows domain1 and redirects to sso.com
  • sso.com already has a cookie for the user, so does not present the login page
  • sso.com redirects back to domain2.com with the encrypted information
  • domain2.com logs in the user.

That’s the fundamentals of how this works. You can make it more robust, more feature rich (for example, this is SSOn, but not SSOff, user can “log out” of domain1, but still be logged in to domain2). You can use public keys for signing credentials, you can have requests to transfer more information (like authorization rights, etc) from the SSO server. You can have more intimate integration, such as the domains routinely checking that the user still has rights from the SSO server.

But the cookie handshake via the browser using redirects is the key foundation upon which all of these SSO solutions are based.

More Related Contents:

  1. JWT (JSON Web Token) automatic prolongation of expiration
  2. What is token-based authentication?
  3. Authentication versus Authorization
  4. Where to store JWT in browser? How to protect against CSRF?
  5. Non-random salt for password hashes
  6. JWT refresh token flow
  7. Where do you store your salt strings?
  8. SPA best practices for authentication and session management
  9. How do I store and retrieve credentials from the Windows Vault credential manager?
  10. Symfony2 extending DefaultAuthenticationSuccessHandler
  11. Best way for a ‘forgot password’ implementation? [closed]
  12. What is the best Distributed Brute Force countermeasure? [closed]
  13. Should I hash the password before sending it to the server side?
  14. How to do stateless (session-less) & cookie-less authentication?
  15. Using Symfony2’s AccessDeniedHandlerInterface
  16. How to manually decrypt an ASP.NET Core Authentication cookie?
  17. Secure Google Cloud Functions http trigger with auth
  18. SSO with CAS or OAuth?
  19. Google Authenticator available as a public service?
  20. Best practices for server-side handling of JWT tokens [closed]
  21. What are best practices for securing the admin section of a website? [closed]
  22. Securing an API: SSL & HTTP Basic Authentication vs Signature
  23. Salt Generation and open source software
  24. Is “double hashing” a password less secure than just hashing it once?
  25. Remove Server Response Header IIS7
  26. Is JSONP safe to use?
  27. Is it safe to enable ”Access-Control-Allow-Origin: *“ (wildcard) for a public and readonly webservice?
  28. Difference between CSRF and X-CSRF-Token
  29. Remember me Cookie best practice?
  30. buffer overflow example from Art of Exploitation book

Leave a Comment