True or False: cross-domain SSO always requires a third party identity provider

3
votes

I currently have several websites which live on separate domains:

www.app1.com

www.app2.com

www.app3.com

Each has its own authentication mechanism - some query active directory via web service, others have their own user database.

The goal is to have Single Sign On through some technology or product that doesn't require users to re-enter passwords when they visit pages across domains.

Question: Reviewing SAML, it appears that a cross-domain SSO solution will always require a third party Identity Provider to authenticate users, e.g.:

www.my-master-login.com

Is this true?

If so, does it follow that each existing website will need to be updated so that its authentication is handled by the third-party site?

1
authenticationarchitectureloginsingle-sign-on

1 Answers

5
votes

I think it depends what you mean by third-party. I would look at how Wikimedia does it. They don't currently use OpenID or anything like that. Instead, their CentralAuth service (see also Help:Unified login just provides cookies for all the major sites (wikipedia.org, wiktionary.org, wikinews.org) when you log on to any given site. There is no master site so it doesn't matter which site you log on to first. The cookies are embedded in images on the logon page.

But yes, each website will need to be updated somehow.