Login Once to Access Two Sites

[Jeff]

Using 1.1...
I want to enable users to authenticate to one site, then be transferred to a
2nd site without having to also log in there. In other words, authenticating
to site1 automatically authenticates users in site2. FWIW: These two sites
are at different domain names, but they are on the same server and I have
complete administrative control over both.

Can this be done? If so, I'd appreciate some high-level direction.

Thanks!

 

[Brock Allen]

If they were on the same server, then it's be no problem as it's easy enought
o share the Forms Auth cookie across the two as long as <machineKey> is sync'd
across the two apps. But since this is cross domain, then you're going to
have to build some sort of auth handshake between the two sites (sort of
what passport does). It's not hard, but also it's not trivial.

The high level design would be something like the user hits site 1 and auths.
When you want them to then access site 2 (diff domain) then site 1 would
have to build some sort of link with a querty string for site 2. The query
string would have to contain the username that was used to auth at site 1.
It would also have to be encrypted with a key that site 2 would be able to
decrypt. The user hits the link to hit site 2. Site 2 decrypts the query
string and now knows who the user is.

At least this is the high level idea.... I don't have anymore details than
this though. And there are probabaly more secure and/or spohisticated approaches
to this. Perhaps posting in the security newsgroup you'd get people with
ideas and/or links for samples on this.