Trusted Shared Authentication

[Jason Tang]

Overview:

We have web apps X and Y and they share the table that allows you to map
a
username to an id and also to ldap. Apps X and Y are different webapps
that
provide different functionality and is intentionally seperated. However
there's
a requirement that a user that can authenticate on one app can click
through
to the other without the need to reauthenticate.

Thoughts:

The easiest solution I can think of is to provide a link on app X that
passes
the user id over (possibly encoded to try avoid people playing with
urls) and
within app Y check the referrer and that the user id exists. Then allow
them
to assume as that identity.

The other route I've thought about, but not done a huge amount of
investigation
into is to use someting like OpenID internally. This maybe overkill.
Also
the 'trusted website' should be forced at an application level rather
than
having the user decide if they should or shouldn't.

A shared session is not a route we'd like to go down.

Anyone have interesting ideas to solve this?

Many thanks in advance

Jason

-- 
Jason Tang  - email: jason at dragor.net - msn: jason-msn at dragor.net