So, a bit of background, I'm working on an existing web application that has a set of users who can log in through the traditional login screen with username and password, etc.
Recently, we managed to score a client (who has his own intranet site) who wants to have his users to enter his intranet site, and then their users click on the link to their Intranet, which redirects to our application and writes them to it automatically.
I had two suggestions on how to implement this so far:
- Create a URL that contains 2 parameters (which are the “username” and “password”), and the Intranet site passes these parameters to us (our connection is through SSL / TLS so that everything is encrypted). This will work fine, but it seems a bit "hacked", and also means that the usernames and passwords should be the same for both systems (and you need to write some kind of web service that can update passwords for users - which also seems a bit unsafe)
- Provide the token on the Intranet, so when the client clicks on the link on the Intranet, he sends us the token along with the username (and without password), which means that they are authenticated. Again, that sounds a bit hacky, because it's not that essentially the same as giving everyone the same login password?
So, to summarize, I follow the following things:
- A way for users who have already authenticated on the Intranet to log into our system without undue interference and without using an external system for authentication, i.e. LDAP / Kerberos
- Something that is not too specific for this client, and can be easily implemented by other intranets for login