SSO between two websites
-
Doing some research on this, it seems to be a limited experience. How would you guys go about getting this setup?
From what I can find, creating a 3rd site to generate the sso cert, and authenticating both sites with that cert is the standard.
Are there any better ways, I'm not sure that producing a 3rd site can be used with an existing half of the 2 sites already in production.
-
Depends on the site... Many places are using Facebook, Amazon, Twitter, or Google to handle their authentication. But you could roll your own with something like shibboleth, simplesaml, or WSO2.
-
Like @coliver says, lots of ways to skin that cat, would depend on the site, the goals, the situation.
-
@coliver and @scottalanmiller the issue that (maybe I'm over complicating) is that there is already 1 of the sites up and in use with user credentials being stored somewhere.
I'll have to get the details on this setup, but had my concerns about trying to bring in some third party SSO solution.
-
@DustinB3403 said in SSO between two websites:
@coliver and @scottalanmiller the issue that (maybe I'm over complicating) is that there is already 1 of the sites up and in use with user credentials being stored somewhere.
I'll have to get the details on this setup, but had my concerns about trying to bring in some third party SSO solution.
Can the site in question do some kind of SSO integration? That's a big question in and of itself. Some CMS tools can some can't.
-
@coliver Not sure, yet, I have a meeting on Monday to try and determine what is currently in place, and see what can be done from there.
-
@DustinB3403 said in SSO between two websites:
@coliver Not sure, yet, I have a meeting on Monday to try and determine what is currently in place, and see what can be done from there.
So from my experience, however limited, SSO is often used as an authentication mechanism. Rarely does it also act as the user repository or do any authorization. Even when passing groups as claims the requesting party decides what those claims mean. So if you have a current user repository often the idp or SP just authenticates those current users.
-
@coliver yeah SSO is simply an authentication mechanism, but how it's implemented, and with what software. Is what I was curious others have done between multiple websites.
As it is now, there is 1 website in place, with user authentication that is functional.
We've been asked to setup a separate website, and to come up with some ideas on what can be done so the user doesn't have to authenticate (or even realize) they've gone to a separate website.
SSO or web restrictions based on the originating link have been discussed.
-
@DustinB3403 said in SSO between two websites:
@coliver yeah SSO is simply an authentication mechanism, but how it's implemented, and with what software. Is what I was curious others have done between multiple websites.
As it is now, there is 1 website in place, with user authentication that is functional.
We've been asked to setup a separate website, and to come up with some ideas on what can be done so the user doesn't have to authenticate (or even realize) they've gone to a separate website.
SSO or web restrictions based on the originating link have been discussed.
Ah I see. Moving to an SSO/Federation system would help there.
Does it need to be that difficult though? I wonder if it is possible to port over the user table to the new website at regular intervals. They'd still have to sign in though so that may not be worthwhile.
-
@coliver said in SSO between two websites:
@DustinB3403 said in SSO between two websites:
@coliver yeah SSO is simply an authentication mechanism, but how it's implemented, and with what software. Is what I was curious others have done between multiple websites.
As it is now, there is 1 website in place, with user authentication that is functional.
We've been asked to setup a separate website, and to come up with some ideas on what can be done so the user doesn't have to authenticate (or even realize) they've gone to a separate website.
SSO or web restrictions based on the originating link have been discussed.
Ah I see. Moving to an SSO/Federation system would help there.
They'd still have to sign in though so that may not be worthwhile.
That is the part that is looking to be avoided entirely. A smooth transition from 1 site to the other, without anyone noticing.
-
@DustinB3403 said in SSO between two websites:
@coliver said in SSO between two websites:
@DustinB3403 said in SSO between two websites:
@coliver yeah SSO is simply an authentication mechanism, but how it's implemented, and with what software. Is what I was curious others have done between multiple websites.
As it is now, there is 1 website in place, with user authentication that is functional.
We've been asked to setup a separate website, and to come up with some ideas on what can be done so the user doesn't have to authenticate (or even realize) they've gone to a separate website.
SSO or web restrictions based on the originating link have been discussed.
Ah I see. Moving to an SSO/Federation system would help there.
They'd still have to sign in though so that may not be worthwhile.
That is the part that is looking to be avoided entirely. A smooth transition from 1 site to the other, without anyone noticing.
Right. Without knowing more about it (as I'm sure you'll be doing on Monday) we can't really see what the best option is. Federation may make sense but it may be too complex for the benefits in this instance.
-
So the existing website is built on DNN, which Bitium has a SAML SSO solution which may work for this.
Still investigating.
