I am looking into options for implementing single sign-on (by which I mean a single set of user credentials authenticating against a single, shared, identity store) across a range of websites.
All of the websites nominally belong the same organisation (and so we can assume a trusted relationship between them), but are hosted on different domains, and span different technologies – inc. .NET, Java and PHP.
We are consolidating all user profiles into a single back-end CRM system, and need some way to provide robust access to this for all current (and future) web properties.
We have a nascent SAML provider running, and the default option is to extend access to this across all the (currently) unsupported properties. Is this the best option? All the online references to SSO products (CAS, CoSign etc.) seem to be very old (2004+).
Use of the SAML protocol here makes a ton of sense. It could even allow you to federate with cloud-based services if/when your company decides to go that direction.
SAML does not require the target servers (aka “service providers” or “relying parties” in MS parlance) to be referenced using a fully qualified domain name with a common DNS root. It is also technology agnostic so it really doesn’t matter what HTTP stack the service provider is running.
I’m not sure what interfaces are available to your back-end CRM system, but LDAP or SQL connections are typically used to get identity claim information and build the SAML response.
A few Identity Provider products you may want to research include Microsoft ADFS, PortalGuard (for whom I work) and Ping.