Cross logins
Victor Duchovni
Victor.Duchovni at MorganStanley.com
Wed Aug 3 21:02:39 EDT 2005
On Wed, Aug 03, 2005 at 03:15:00PM -0700, James A. Donald wrote:
> --
> Is it possible for two web sites to arrange for cross
> logins?
>
> The goal is that if someone is logged into website
> https://A.com as user127, and then browses to
> https://B.com/A_com_registrants, he will be
> automatically logged in on b.com as user127 at A.com
>
This requires B to trust A, and trust requires a shared key or
equivalently a trusted introducer. Given a shared key, A is able to sign
(shared secret HMAC, public/private keys or signed Kerberos message)
assertions about the user for B's consumption. The signature can be
in a referral URL.
http://A.com/federated_login.cgi?d=B.com&user=user127&expiration=epochtime&signature=<base64data>&url=...
Absent a valid cookie for a B session, B redirects the user to A's
federated login generator page (passing B's name and the url the user
wanted), and A redirects the user back to B's federated login verification
page passing back the authentication data and the original url, so the user
is taken to the right place after the credentials are verified.
--
/"\ ASCII RIBBON NOTICE: If received in error,
\ / CAMPAIGN Victor Duchovni please destroy and notify
X AGAINST IT Security, sender. Sender does not waive
/ \ HTML MAIL Morgan Stanley confidentiality or privilege,
and use is prohibited.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list