In the latest version of our SAAS product, we are designing it to allow our customers to deploy multiple instances of the software.
We require the sign up and login to be tightly integrated into the primary domain – the “sells the product to new customers” website PrimaryDomain.com which features “Sign Up” and “Login” forms that use jQuery/AJAX to give responsive feedback on data submission.
When a customer successfully logs in, they are to be presented with a list of all their installed instances of our product. All installed instances of our product can be hosted across dozens of domains, but to keep this question simple, they are hosted on [subdomain].SecondaryDomain.com (code + database).
Every installed instance also features an admin panel which currently customers need to manually login to each individual instance as required.
We want the customer to be able to click on ‘view admin panel’ next to any of their installed instances and automatically be logged in on [subdomain].SecondaryDomain since they were logged in on PrimaryDomain.com.
SecondaryDomain.com naturally doesnt have access to the cookies or session variables of PrimaryDomain.com so what is the best way to allow SecondaryDomain.com to authorise?
We have considered a few different options, such as;
Researching some clever way that the domains can share cookie/session data?
Generate a token that is passed with the url when clicking ‘view admin panel’ to the second domain. The token is unique to the userid plus subdomain (such as an md5 hash) and then validating it on the receiving end.
Recording a one-time-use token into the database and sending with the url and having SecondaryDomain.com connect to PrimaryDomain.com’s database to verify the one-time-use token and set appropriate session and cookie variables.
The one-time-use token seems like the right approach, but i havent been able to find any concrete answers on (a) if this is even the RIGHT approach, and (b) what the security implications are around it?
Advertisement
Answer
I recommend SAML for this case. SAML requires you to have an identity provider (IdP) and service providers (SP). The user will login to the IdP and present the token to any SP visited. The SPs need to be configured to assert the token against the IdP. You probably want to look into Auth0’s SAML SSO offering for more information, but there are other providers out there that do the same thing.