[thelist] Single Sign On Security

Matt Warden mwarden at gmail.com
Tue Mar 2 19:23:05 CST 2010

On Tue, Mar 2, 2010 at 7:48 PM, Bill Moseley <moseley at hank.org> wrote:
> A third-party partner site wants to provide access to my site but bypass my
> account creation and login screens.  They want to have a sign-up form on
> *their* site and then provide access to my site.  My site will still need an
> account created for each user first, so that means I need an API to allow
> the third party site to create an account and then provide a way to redirect
> to my site bypassing the login page.
> I'm looking for ideas how to make this easy for the third-party site, yet be
> secure.

You actually do not need the user's password. You only need to be able
to take the username and password supplied and submit that securely
(encrypted) to the third party site for a yes/no verification, which
you will have to trust. After challenging the third party site, you
can discard the password submitted.

We do something similar with our product where you can set up
authentication via a WINS server or network share. We forward the
credentials submitted by the user and allow the WINS server or
operating system to perform the authentication. If it grants access
based on those credentials and we have a username in our DB matching
the windows username, then we will grant access as well.

Sounds to me like you'd want to search your DB first and only ping the
third party site if you don't find a match.

Matt Warden
Cincinnati, OH, USA

This email proudly and graciously contributes to entropy.

More information about the thelist mailing list