Thread: Best way to automatically login user from a customer's web site.

I have a trade show application that I want to integrate with a customers conference registration application. For example, Big Trade Association has user John Doe register for Big Trade Association's fall conference.
1. John Doe logs in to Big Trade Association's web site and registers for the conference.
2. After completing his registration, John Doe selects "Schedule Appointments With Other Attendees" from Big Trade Association's menu.
3. At this point, John Doe is transferred to my web site where he can select who he wants to meet with. At this point I want to:
a) Know that John Doe is on my web site without requiring John Doe to log in a second time.
b) Securely transfer John Doe's identifying information to my web site.
c) Prevent a third party from being able to spoof John Doe's identity and be able to look at what information John Doe has entered on my web site.
d) Not require Big Trade Association to let me know in advance, who might log on to my web site. In other words, John Doe might
* Navigate to Big Trade Association's web site
*Join Big Trade Association
*Register for Big Trade Association's fall conference
*Immediately click on the "Schedule Appointments With Other Attendees" link on Big Trade Association's web site.

Any pointers on what technologies I might want to look at or any other pointers for the best way to accomplish this? Thanks in advance.

Hello there,

This kind of sounds like it needs the same design as a payment solution.

Basically Big Trade Association tells you that they want John Doe to access your site securely, so you reply by telling them what URL they need to go to. They then redirect John Doe to that url. You then notice that someone has arrived at that url and when the session is created on your side you can link that session to John Doe.

However if you want Big Trade Association to also send you details of John Doe then they should probably do this in the first call to your site. All of this communication should also be done over HTTPS/SSL to ensure that the user data is harder to capture.

Hope this helps.

// Json

Sounds like you want John Doe to automatically sign in to the site he is being redirected to without being challenged for his user credentials again.

To do this securely you need a Single Sign-on solution, these can be expensive and require a certain level of configuration on the server, though there are free ones availble OpenSSO I believe is one., they effectively allow a user's credentials to be propogated to other websites securely, though both sites need to be programmed to use this method.

Assuming that both sites have their own authentication process your code would have to automatically sign him in, to do this it needs his user credentials (i.e. username and password), this is not stuff you want to pass around via the URL. for security reasons.

I have worked on quite a few systems where a security audit was performed, and believe me that approach would not have produced a very good security rating.