Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

How to implement single sign-on for Web applications?

What are the strategies for implementing single sign-on in web applications?

like image 222
java_geek Avatar asked Aug 26 '10 17:08

java_geek


1 Answers

You added j2ee as a tag so I'm going to assume this is a java question. You can implement single sign on in code by... well... writing code. Use the built in j2ee authentication or roll your own.

See this answer for possibilities: Single sign-on in Java EE

The basic strategy is to invent some kind of shared cookie strategy that all of the web sites can read. For example, if you are developing a single sign-on solution for xyz.company.com and abc.company.com, then deliver a session cookie of some kind from with a path of company.com. Both sites can access this session and see "Oh this guy has logged in before."

There are also strategies for web single sign on when you are authenticating users to totally distinct sites like MySiteA.com and MySiteB.com.

To prevent replay attacks, you will need to carry a common session store of some kind that your web pages can validate this cookie with on every page request. You didn't tag this .NET, but in .NET this means you have to move session state out of the IIS worker process, which is not the default when you select File > New Project... for web applications.

Your application will have to guard every incoming web request because you are now trusting that cookie as a "ticket" or "proof of entry." You will need a strategy to deauthorize that cookie (on logout or timeout or other).

Most web frameworks, including J2EE, .NET, or application servers like WebSphere, have solutions for this. You will have to research them and get familiar with the techniques you need.

You can also buy third party access software such as CA Siteminder. In this case, you write no authentication and access code and you let their web agents stand guard in front of your app. They also have single sign-on solutions for multiple web sites that may or may not share a common higher level domain.

I am not explicitly recommending this product. I am saying you have asked a very very big question and that you can use java to solve your problem or buy third party products that try to do the same.

This is a HUGE topic that I have NOT attempted to cover in detail. This is not a sufficient answer. The point is that you will need to select more pieces of your architecture before you can get more specific help and guidance.

like image 179
Chris Gomez Avatar answered Nov 15 '22 10:11

Chris Gomez