[thelist] FW: B2B Seamless login

Luther, Ron ron.luther at hp.com
Thu Dec 2 09:07:48 CST 2004 

Les Lytollis asked an interesting question:

>>I develop and maintain a uniform ordering application for 
>>business-to-business use. 

>>One question we have been asked a number of times by customers is 

>>"can our users log in using the name and password they are 
>>given to use our intranet".


Hi Les,

Neat question ... and I hope you get some neat answers from folks that 
understand this stuff better than me.  ;-)

However, I think you mean something slightly different than what you 
asked:

(A) Can a user log into a company intranet with a name and password 
and then use that same name and password when they log in (again) to 
your app? ... Sure ... I think it's a "bad idea" ... but I would guess 
that you current app would offer this functionality now. 

(B) I think what you're looking for is having a user log into a company 
intranet with a name and password and then NOT have to enter any userid 
or password when they access your site from their favorites menu in 
their browser.

I don't think so. (Sure, you could turn off all of your security 
validation - but I doubt that would make folks happy.) I also doubt 
that either your company lawyers or the client company lawyers would 
be happy with you having a (potentially hackable) list of client 
company internal access login ids and passwords ... Tell you what ... 
You get a lot of people to put up apps like that and *I* will go back 
to school for a degree in litigating web liability issues! 
<smells easy money and rubs hands gleefully />   ;-)  


What I think you *might* be able to do is have the client company put 
a desktop icon on their users machines ... that icon could run an app 
to verify their internal NT authentication type stuff and match that 
to a separate db table (located at the client company) that contained 
a userid and password to allow _that_ employee to access your service.  
After validation, this app should be able to launch a browser window 
and send you an encrypted, SSL, moo, baa, whatever 'get' request with 
the login information to your service - which you could then validate 
on your end.  My guess is that is as close as you are going to get ... 
it wouldn't work from their 'favorites' menu ... but it would get around 
having them type in a separate login for your service.


Good Luck and HTH,

RonL.

<side question /> What do you do today about a company that lays off 
an employee that has authority to place orders with you on their 
behalf?  What prevents that disgruntled now ex-employee from placing a 
few million dollars worth of orders with you after they stop off at 
the pub on their way home that evening?  Does your service agreement 
cover order cancellation and restocking fees for those situations?

More information about the thelist mailing list