On Tue, Mar 2, 2010 at 9:30 PM, Bill Moseley <moseley at hank.org> wrote: > Except in this case both sites need the same end-user's credentials -- > because the end-user can log into either site directly. (Having both sites > share the same credentials is the part I'm not thrilled about so I may see > if I can get the specs changed.) That defeats the purpose of single sign-on. > That means there must be some backend API interaction between the third > party site and mine, namely to create the account on my site. It's that > communication that I want to make sure is secure and authenticated. I think > SSL plus the third-party's password (shared secret, really) is enough. See > any security holes with that simple approach? You *do* need to create a user record on your site that includes the username. It should NOT include the password. You should defer to the third party site for password authentication. -- Matt Warden Cincinnati, OH, USA http://mattwarden.com This email proudly and graciously contributes to entropy.