Saturday, June 14, 2008

Automatic single sign in for web applications

While OpenID and probably other emerging technologies are good, they don't really solve the problem i have when developing applications for my employers customers.

Firstly the sign in isn't really automatic, and its not transparent. Having multiple identity providers makes no since in this scenario. This makes the sign in process easier as we know what identity server we will use.

What the new OpenID specs seems to focus a lot on, is delivering profile data from the identity provider to the website. There is a lot of research and work on standards in this field. The reason behind this is the trust issue, identity providers can't trust the website.
However when we want a single sign in on several websites, we do trust all the sites, and the user trusts the sites more than a identity provider.

I guess our problem is a lot more simple than the problems OpenId is trying to solve. All we want is that users signing in on one site, is automatically signed in when they visit one of our other sites.
Since we control all the databases we can easily share profile data with propitiatory web-services.

So the problem really comes down to setting cookies on several domains. This can be done with redirects and images.

No comments: