Cross Domain Login - How to log a user in automatically when transferred from one domain to another

security authentication dns single-sign-on
smashedmercury picture smashedmercury · Dec 4, 2008 · Viewed 39.3k times · Source

We offer a number of online services. We are required to develop a system which provides a quick/simple experience for users if they are transferred from one service (on domain1.com) to another service (on domain2.com).

Is there a safe and secure way to log a user in automatically once he has been transferred to the new service?

Yell at me if the solution below is completely insecure/wrong.

We were considering a system similar to that provided by a number of online services for password recovery - they are emailed a link with a unique hash which expires, that allows them to change their password.

The domain1.com site would generate a unique hash and store it in a database with the hash linked to a user along with an expire datetime field.

The user will be transferred to domain2.com/auto/?hash=d41d8cd98f00b204e9800998ecf8427e

domain2.com would next make a request to domain1.com with the hash to get the information about the user. domain1.com would then remove the hash from the database. domain2.com would log the user in and set cookies, etc.

Could something based on OpenID or OAuth achieve the same results?

Answer

Will Hartung picture Will Hartung · Dec 5, 2008

Single sign-on (SSO) is conceptually pretty simple.

  • User hits domain1.com.
  • domain1.com sees there's no session cookie.
  • domain1.com redirects to sso.com
  • sso.com presents login page, and take credentials
  • sso.com sets session cookie for the user
  • sso.com then redirects back to domain1 to a special url (like domain1.com/ssologin)
  • the ssologin URL contains a parameter that is basically "signed" by the sso.com. It could be as simple as a base64 of encrypting the loginid using a shared secret key.
  • domain1.com takes the encrypted token, decrypts it, uses the new login id to log in the user.
  • domain1 sets the session cookie for the user.

Now, the next case.

  • User hits domain2.com, which follows domain1 and redirects to sso.com
  • sso.com already has a cookie for the user, so does not present the login page
  • sso.com redirects back to domain2.com with the encrypted information
  • domain2.com logs in the user.

That's the fundamentals of how this works. You can make it more robust, more feature rich (for example, this is SSOn, but not SSOff, user can "log out" of domain1, but still be logged in to domain2). You can use public keys for signing credentials, you can have requests to transfer more information (like authorization rights, etc) from the SSO server. You can have more intimate integration, such as the domains routinely checking that the user still has rights from the SSO server.

But the cookie handshake via the browser using redirects is the key foundation upon which all of these SSO solutions are based.

Related questions

The definitive guide to form-based website authentication

Form-based authentication for websites We believe that Stack Overflow should not just be a resource for very specific technical questions, but also for general guidelines on how to solve variations on common problems. "Form based authentication for websites" should be …

Read More
What is token-based authentication?

I want to understand what token-based authentication means. I searched the internet but couldn't find anything understandable.

Read More
How to add Active Directory user group as login in SQL Server

I have a .net application which is connecting to the SQL Server using windows authentication. We cannot use SQL Server authentication in the application. We have lot of Active Directory users there for our project. So we have to create …

Read More