openID concepts

kante

The Problem:
many domainnames. Or third level domains. Have one login system, one authentication. And be authenticated authomatically on every domain name of the group.

What I read about it:
Setup a domain name (domain-auth.com) for authentication purpose.
Here I'll have the login system. Under this domain user will register and login.
After authenticate the user i'll redirect him to the original domain (domain1.com?token=xyz) appending a token (maybe encrypted n' base64)

In domain1.com I have a script that will accept the token decrypt and sets the user as logged in.

But there's a problem about this... if someone intercepts the token and use it, he will find himself authenticated without entering any credential.
So here comes to play SSL.
If the token is sent via https discovering the token will be hard.

But does this mean that I'll need https and SSL mount on every domain thet uses the domain-auth.com authentication?

etully

First of all, I think you mean "sso" (single sign on) and not openID which is a specific tool for a similar problem.

Second of all, yes, you'll need SSL on every domain to hide the token. The good news is that SSL is much cheaper than it used to be (I pay $15 per year) and it can even be free (generate your own signed certs) if you don't mind your users getting a warning message.

A self signed cert (that generates a warning message) is 100% securely encrypted because it's still using SSL. Also, since you're using SSO, you can greet the user at the new domain with a message like, "Hi Bob Smith! Your email is bob@smith.com." so that the user will know that they're at the real site and not a man in the middle.