Hi Richard Thanks for the feedback. I'm thinking along the same lines as you. Slapping the login parameters to the request is definitely not pretty even if the traffic is sent over SSL.
The two systems are completely different and also geographically separate. So there is no "quick" solution other than the login parameters. -will On 20.12.2011, at 12:22, Unger, Richard wrote: > Hi Will, > > Interesting Problem - doesn't sound that easy. > > As you say, you could simply pass along the userId, for example as a GET > parameter in the link. The security of such a solution is doubtful, at the > very least I would recommend using encryption --> i.e. extranetA encrypts the > userid using a secret key, extranetB decrypts the userid with the same key. > Not knowing the key, external attackers cannot easily fake logins. By > including a timestamp in the encrypted token you can also prevent "replay > attacks" outside a narrow time-window. > Even this solution will be some work: > --> each link from A to B will have to be rendered including the token > --> the magnolia instance will need a login-module capable of handling the > token > > It might be a similar amount of work to set up a "real" identity provider for > SSL. > If your two apps are running on the same server (or nearby) you can use > tomcat SSO, possibly with a tomcat cluster. > If your two apps are running on different servers or use different > architectures, you could use something like Shibboleth/SAML. > In this case you would presumably still need to create a login-module, but > would not need to render the links with any special tokens, or do any > encryption yourself. > > Regards from Vienna, > > Richard > > > -----Ursprüngliche Nachricht----- > Von: [email protected] > [mailto:[email protected]] Im Auftrag von Will Scheidegger > Gesendet: Dienstag, 20. Dezember 2011 09:11 > An: Magnolia User-List > Betreff: [magnolia-user] faking a single sign-on? > > Dear Magnolians > > We were asked if we could "connect" two separate extranets in the manner that > when a user is logged into extranet A (not Magnolia) he/she can only click on > a link to access extranet B (Magnolia CE) without further login. Now, this > could be achieved quite easily by passing along the mgnlUserId and mgnlPSWD > parameters, but I was wandering if there are other ways to do this without > implementing a full blown single sign on solution? > > Thanks for your pointers! > > -will > > > > ---------------------------------------------------------------- > For list details, see http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, > E-mail to: <[email protected]> > ---------------------------------------------------------------- > > > > > > ---------------------------------------------------------------- > For list details, see http://www.magnolia-cms.com/community/mailing-lists.html > Alternatively, use our forums: http://forum.magnolia-cms.com/ > To unsubscribe, E-mail to: <[email protected]> > ---------------------------------------------------------------- > ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
