I’m investigating how to authenticate a user against domain abc.com and then allow them to access a secure area of site xyz.com without logging for a second time.
After a bit of reading, the following solution looks workable:
-
A user logs into site abc.com via regular forms authentication
-
Upon successful login, a record is created in a shared database containing a guid, the username and the current date/time.
-
A security token is generated by encrypting the guid and then a redirect to site xyz.com is returned, with the security token as a querystring parameter.
-
Site xyz.com receives the incoming request, decrypts the token, finds the matching record in the database (filtered by the past minute) and then generates a forms authentication cookie for the relevant user before redirecting the user back to abc.com
The user should now have two forms authentication cookies, one for each domain.
Is this approach basically sound? Are there any good references you know of?
The approach is valid though susceptible to replay attacks. Why not just use OpenId? It can also do unsolicited assertions, which it sounds like you want to use.
OpenId does not require a shared database.