Delicious
Digg
StumbleUpon
Propeller
Reddit
Magnoliacom
Newsvine
Furl
Facebook
Google
Yahoo
Technorati
IcerocketSingle sign-on for HTTP Authentication
Posted November 26th, 2007 by wayland
This discusses using a single sign-on for multiple domains with HTTP Authentication
Table of Contents
The Problem
The goal here is that an entire set of subdomains be authenticated with a single sign-on. This can be done in a session-based setting with cookies or URL rewriting. With HTTP Autentication, it may be a little more difficult.Solutions
Immediate solution: Multiple domains in HTTP Digest
HTTP Digest authentication allows listing of domains that are to be included in the realm. This is better than nothing, but has two problems as a solution:
- It's not as scalable as it could be. If you had a blog for each user, eg. fred.blogs.example.com and john.blogs.example.com, and had 5000 users, listing each one would be a problem, as HTTP Digest doesn't take wildcards like *.blogs.example.com
- HTTP Digest is not properly supported by Microsoft; their implementation is incompatible with the RFC, and with everyone else (including Apache, the major server provider on the 'Net, and with Firefox, the other main browser).
There are ways of working around this second problem if you're using Apache on the server side; see mod_auth_digest: Working with MS Internet Explorer.
Medium-term solution: Get Microsoft to change
The proper solution to the second part of the problem is to get Microsoft to change their browser. After you stop laughing at the idea.
Long-term solution: More RFC changes
The solution to the first problem (listed under "Immediate solution", above) would be to modify the HTTP standard to support Digest wildcards.
Bookmark/Search this post with:
- wayland's blog
- Login or register to post comments
- Printer-friendly version
