Single Sign-On solution?

php_star

Scenario; 5+ different live LAMP web services each with their own
user/password fields and corresponding user information. Same users
have as many accounts as service subscriptions.

Problem; How to network this setup into a single sign-on solution,
where there is only one user/password field and a set of global data
for a given user. Each web service only holds service specific user
settings.

Ideal solution; Is free. Works similar to Google. Single login page,
multiple web services and online status is kept between them.

How is this problem solved traditionally and what are my options?

etully

I have two techniques I use depending on whether or not the 5 sites trust eachother.

If they do trust eachother, then I write a PHP page that outputs an invisible image AND sets a cookie. After a successful login, I include 5 invisible GIF's from the other 5 sites which set cookies indicating that the user has logged in.

If they don't trust eachother, then you have the user log in at any one of the sites and that site then makes links to the other sites that embed an encrypted form of the password and a plaintext userid. Each site knows how to check the userid and password to verify a successful login on the other site. The problem with this solution is that the user is required to follow links to move between the 5 sites - no bookmarks or typing URL's into the location bar allowed. Of course, that's a non-issue if the sites trust eachother and you can set cookies as I described in my first solution.

MarkR

If they are all in the same domain, you could use cookies set on the domain for authentication. They'd all need to contact some central point to validate these cookies (be it a common database, or via some kind of web RPC system).

If they're all on different domains it gets a bit trickier - you'd need some way of propogating the ID instead of a cookie (e.g. redirect to common logon page, then it redirects back with an authentication ID which the other server then looks up in the common database to check it's valid).

Mark

etully

If they are all in the same domain

Rarely the case with SSO

They'd all need to contact some central point to validate these cookies (be it a common database, or via some kind of web RPC system).

That's a common mistake with designing SSO. What good is it to have John log into site A who announces to all the other sites, "Hey everybody, John has logged in", if there is no way to recognize John when he arrives at sites B, C, D, and E. Common database and RPC seems like a good idea but it's a dead end.

you'd need some way of propogating the ID instead of a cookie

Nope. It's easy to set a cookie on domain A for domain B, C, D, and E if the domains all know and trust eachother.

And if they don't trust eachother, then you can simply propagate the ID (and encrypted password) to the other sites in a link (either a web form or a hyperlink).

(e.g. redirect to common logon page, then it redirects back with an authentication ID which the other server then looks up in the common database to check it's valid).

Unnecessarily complicated.