Daniel Roberts wrote: > 1) 3rd party app sends user to page in our app, and all is well if already > logged in > 2) if not already logged in, we send user to an auto-login page at 3rd > party app > 3) 3rd party app submits credentials on the server-side to our app through > secure connection > 4) if credentials accepted, our app returns a one time use login key > 5) 3rd party app send user to our app again with login key and they are > logged in automatically and continue to desired page > > This will work but is there is a simpler way?
Use an off-the-shelf product that implements this, like Shiboleth or A-Select. If you are coding this yourself you can optimize the design a little bit by switching whether your app calls their app or vice versa, but that doesn't change the complexity significantly. Or use a different scheme like the trusted third party model of HTTP Digest Authentication (I don't know how well browsers support that). > I do not have much experience with https but I'm under the impression that an > https page at one domain cannot securely send data to an https page at > another domain. Sure it can, but all it would solve is that one app logs on in the other app, not that the borowser logs on to the other app. What you really need is to force the browser to submit credentials supplied by app A to app B without disclosing those credentials to the user. I don't think HTTP and HTML provide a way to do that. Jochem ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Adobe® ColdFusion® 8 software 8 is the most important and dramatic release to date Get the Free Trial http://ad.doubleclick.net/clk;160198600;22374440;w Archive: http://www.houseoffusion.com/groups/CF-Talk/message.cfm/messageid:296205 Subscription: http://www.houseoffusion.com/groups/CF-Talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/cf_lists/unsubscribe.cfm?user=11502.10531.4
