[Product-Developers] Single sign on across heterogenuous systems

[Martin Aspeli]

Hi all,

I have a Plone site that will maintain a member database and content. 
One part of the site will go off to a "white labelled" (i.e. same style 
sheet and template) shop system hosted by a third party, on completely 
separate infrastructure. The shop will live on shop.domain.com and the 
Plone site on domain.com.

I would like to support single sign-on and shared member data across 
these two sites. In particular, users should only sign onto the Plone 
site. When they enter the shop, they should appear logged in there if 
they were logged into the Plone site (if they're not, there'll be a "log 
in" link that goes back to the Plone site). Member data should only be 
held in one place, the Plone site.

The shop site thus needs some way to:

  - Find out if the current user is logged into the Plone site

  - Retrieve member data for the current user

I'm wondering what the best approach for this might look like. The best 
approach I can think of, is to always pass a unique, time-limited ID 
from Plone site to shop when users click any link in the Plone site that 
goes to the shop. This ID would be mapped to a Plone session. The site 
then does a server-side call-back over HTTP to the Plone site, asking if 
the user with the given ID has a valid session, and if so receiving 
member data in the response.

This may work, but it's a bit clunky. It won't work if users have 
bookmarks to the shop or hit it via some other URL. And it may make 
session theft easier.

What better approaches are there? Do we have any tools for this? Could a 
solution potentially be generalised (in which case I'd like to do so an 
open source it).

Cheers,
Martin

-- 
Author of `Professional Plone Development`, a book for developers who
want to work with Plone. See http://martinaspeli.net/plone-book