Best Practices for Multiple site One login

Hi,
I am developing a series of sites with similar themes. As such I would
like to give the user access to all of the sites once they have
registered with any one of the sites.

What are the pitfalls and best practices for this in Rails.

Thank you in advance.

Mitch

I would suggest exploring openID implementation.

regards,
Jaymin

Jaymin Shah wrote in post #980516:

I would suggest exploring openID implementation.

regards,
Jaymin

Thanks Jaymin I will check it out now.

There are a couple ways you can go. If you're in a corporate
environment (as I was when I last did something like this), you may
want to integrate with an LDAP server of some kind (in my case it was
ActiveDirectory 2008). You'd then authenticate your users through
that LDAP server across all the sites you're running. You can even
set this kind of configuration up outside of a corporate environment -
having your own LDAP server (Open LDAP is a damn sight cheaper than
ActiveDirectory though!). Just make sure that if you do it this way,
you set up your LDAP server to be inaccessible from the outside world
as a security precaution.

Another possible route, similar to what Jaymin mentioned above, would
be using something like the Omniauth gem to allow users to
authenticate with their Google, Twitter, Facebook <whatever else>
accounts. Ryan Bates over at railscasts.com has several great
screencasts on omniauth, and I strongly encourage you to check them
out!

If you really (and I mean reeeeeeeaaaaaaly) want to roll your own, you
could. You could set up a RESTful service that would communicate with
your three apps and allow them to authenticate a user or not.

I'd recommend against rolling your own simply because when you do
that, you run the risk of overlooking a few details that could open
your app up to various hacks (think weak encryption ciphers, broken
session handling, etc.), and the open source projects already out
there have had a lot more eyes look at their code to make sure it
doesn't have any gaping holes in it than anything you could roll on
your own without open sourcing it and lots of scrutiny. Besides, why
do the work when you can have somebody else do it? :slight_smile:

There are a lot of different ways to go about it, but those are a few
options for you to take a look at! Good luck!

We do it using OpenLDAP, a cas server and rubycas-client.

I’d suggest creating an OAuth provider application for your SSO needs and then have each app for the SSO be a consumer: http://www.railsatwork.com/2010/10/implementing-oauth-provider-part-1.html

It’s how 37signals handles SSO across their products and I think it works out pretty well.

-Patrick Robertson

we used http://code.google.com/p/rubycas-server/
excellent stuff if you dont want to mess(not really much work) with
OpenID or similar ..

Next time you want to spam old threads with ads for your login service, at least check to see if the list focuses on the same technology as your service (PHP).

–Matt Jones