Hi Will, Interesting Problem - doesn't sound that easy.
As you say, you could simply pass along the userId, for example as a GET parameter in the link. The security of such a solution is doubtful, at the very least I would recommend using encryption --> i.e. extranetA encrypts the userid using a secret key, extranetB decrypts the userid with the same key. Not knowing the key, external attackers cannot easily fake logins. By including a timestamp in the encrypted token you can also prevent "replay attacks" outside a narrow time-window. Even this solution will be some work: --> each link from A to B will have to be rendered including the token --> the magnolia instance will need a login-module capable of handling the token It might be a similar amount of work to set up a "real" identity provider for SSL. If your two apps are running on the same server (or nearby) you can use tomcat SSO, possibly with a tomcat cluster. If your two apps are running on different servers or use different architectures, you could use something like Shibboleth/SAML. In this case you would presumably still need to create a login-module, but would not need to render the links with any special tokens, or do any encryption yourself. Regards from Vienna, Richard -----Ursprüngliche Nachricht----- Von: [email protected] [mailto:[email protected]] Im Auftrag von Will Scheidegger Gesendet: Dienstag, 20. Dezember 2011 09:11 An: Magnolia User-List Betreff: [magnolia-user] faking a single sign-on? Dear Magnolians We were asked if we could "connect" two separate extranets in the manner that when a user is logged into extranet A (not Magnolia) he/she can only click on a link to access extranet B (Magnolia CE) without further login. Now, this could be achieved quite easily by passing along the mgnlUserId and mgnlPSWD parameters, but I was wandering if there are other ways to do this without implementing a full blown single sign on solution? Thanks for your pointers! -will ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ---------------------------------------------------------------- ---------------------------------------------------------------- For list details, see http://www.magnolia-cms.com/community/mailing-lists.html Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe, E-mail to: <[email protected]> ----------------------------------------------------------------
