Best Practices for Multiple site One login

Hi, I am developing a series of sites with similar themes. As such I would like to give the user access to all of the sites once they have registered with any one of the sites.

What are the pitfalls and best practices for this in Rails.

Thank you in advance.

Mitch

I would suggest exploring openID implementation.

regards, Jaymin

Jaymin Shah wrote in post #980516:

I would suggest exploring openID implementation.

regards, Jaymin

Thanks Jaymin I will check it out now.

There are a couple ways you can go. If you're in a corporate environment (as I was when I last did something like this), you may want to integrate with an LDAP server of some kind (in my case it was ActiveDirectory 2008). You'd then authenticate your users through that LDAP server across all the sites you're running. You can even set this kind of configuration up outside of a corporate environment - having your own LDAP server (Open LDAP is a damn sight cheaper than ActiveDirectory though!). Just make sure that if you do it this way, you set up your LDAP server to be inaccessible from the outside world as a security precaution.

Another possible route, similar to what Jaymin mentioned above, would be using something like the Omniauth gem to allow users to authenticate with their Google, Twitter, Facebook <whatever else> accounts. Ryan Bates over at railscasts.com has several great screencasts on omniauth, and I strongly encourage you to check them out!

If you really (and I mean reeeeeeeaaaaaaly) want to roll your own, you could. You could set up a RESTful service that would communicate with your three apps and allow them to authenticate a user or not.

I'd recommend against rolling your own simply because when you do that, you run the risk of overlooking a few details that could open your app up to various hacks (think weak encryption ciphers, broken session handling, etc.), and the open source projects already out there have had a lot more eyes look at their code to make sure it doesn't have any gaping holes in it than anything you could roll on your own without open sourcing it and lots of scrutiny. Besides, why do the work when you can have somebody else do it? :slight_smile:

There are a lot of different ways to go about it, but those are a few options for you to take a look at! Good luck!

We do it using OpenLDAP, a cas server and rubycas-client.

I’d suggest creating an OAuth provider application for your SSO needs and then have each app for the SSO be a consumer: http://www.railsatwork.com/2010/10/implementing-oauth-provider-part-1.html

It’s how 37signals handles SSO across their products and I think it works out pretty well.

-Patrick Robertson

we used Google Code Archive - Long-term storage for Google Code Project Hosting. excellent stuff if you dont want to mess(not really much work) with OpenID or similar ..

Next time you want to spam old threads with ads for your login service, at least check to see if the list focuses on the same technology as your service (PHP).

–Matt Jones