Single Sign-on for two rails app

Hello Everybody,

I have two rails app. Both have login pages for user authentication. The
two apps have links to one another. Now what i need is when a user logs
in to one app, he should not be again asked for login when he clicks the
link for second app.

Please tell me how to go on?

Thanks in advance,
Ak

Someone correct me if I'm wrong, but I don't think you can use
standard cookies across domains.

Have you thought about using OpenID's? There are some really good
OpenID gems.

If these apps are going to be used in a workplace or similar scenario,
you could try to use LDAP or AD...I know there are some gems to help
with this.

AD (at least) can be used on other platforms to automatically authenticate a connection w/out prompting the user for credentials. If RoR could use it that way it would amount to single-sign-on I think.

Can RoR & its typical deployment stack not use AD like that?

(I'm seriously asking, in case that's not apparent...)

Hi Arun,

I have two rails app. Both have login pages for user authentication. The
two apps have links to one another. Now what i need is when a user logs
in to one app, he should not be again asked for login when he clicks the
link for second app.

My situation is slightly different but hopefully applicable to you. I
have two apps that require a login and have created a third Rails app
that servers as a single sign-on and user management system. The sign-
in process goes roughly like this:
1. Each user (and directly related entities) has a UUID so that
multiple DBs can be synchronised.

2. User enters credentials into SSO app, signs-in, it displays a page
with links to both apps. The links are to session creation actions on
the other apps and contain the user UUID and a hash of several user
attributes including a nonce (one time random token).

3. Using ActiveResource the remote app calls back to the SSO app to
authenticate the UUID and hash and returns the user object (as XML)
which is synchronised into the remote app's DB. The nonce stored on
the SSO users table is reset so links only work once (stops replay
attacks).

The internal authentication system should be restricted by IP address
or similar to your own apps.

Hope that helps,
Andrew