SSO Architecture Questions
Added by Matthew Kettlewell about 13 years ago
Hello -
I'm looking at how Google, Zoho and others have set up a Single Sign On (SSO) app, where they can login/signup from any of the apps they have and have access to any of the other apps as well like docs, calendar, mail, etc, all from the same sign on.
My questions stem partly from not understanding the particulars of WT and HAProxy, so hopefully the answers aren't too obvious.
Questions:
1) Is it better to have a single appplication that holds the SSO, mail, calendar, etc in one application, and have several WServer entry points?
or
2) Would it make more sense to have the SSO be it's own application, and have the other apps either be a single application, or each app be it's own application server?
In considering this, I like the idea of having each application reside on it's own sub-domain, and would likely kill the monolithic consept of #1, although I could certainly see the validity of using sub-folders ( ie. domain.com/mail )
I'm considering a scalable approach that could handle easily adding apps,upgrades,servers, users and connections.
If I go with #2, to make the SSO it's own application server, and each app be it's own application server, what is a solid/secure way to convey the login information to each app? After authentication, is a cookie enough for each app to read, or is there a way for an app to talk directly to another app to query.. or???
I've never implemented an SSO, so my thoughts are evolving, and still very simplistic, so any thoughts, or experiences on the idea, either generically or WT specific, would be greatly appreciated.
Thanks
Matt
Replies (1)
RE: SSO Architecture Questions - Added by Koen Deforche about 13 years ago
Hey Matthew,
You are probably better of making separate applications: in this way you can upgrade and/or restart these applications independently from each other. I would not make SSO a separate application --- that makes little sense and indeed then you have the new problem or needing a secure way to relay the authentication information anyway, which almost certainly necessitates the need for a shared database anyway. The SSO would be implemented with a shared authentication database, and could also share the same code, but should be an integral part of each application. This also allows you to serve content to an unauthenticated user and let hem log in at a later point if he wishes to benefit from an individualized experience. The only thing that requires particular attention is to make sure that the cookie is effectively shared between all the applications, by giving it proper 'Domain' and 'Path' scopes.
I think either way you go, HAProxy could make them available in different virtual sub domains or not, or deploy at differt URLs. That is not really impacted by the choice of how you organize the Wt backends.
Good luck with your applications!
Regards,
koen