wadmiraal's sandbox: Simple SSO

Simple SSO is specifically designed for Drupal sites that need a simple, intuitive and functional Single Sign On.

The Simple SSO module can securely log in users accross several Drupal sites, even hosted under different domains. It's a pure Drupal solution and does not require any external library.

Differences with other SSO modules

Simple SSO is different from other modules, in that the authentication happens on the client site, not the server. This allows users to stay on the current site to log in, and not get redirected to a login server (like with CAS or OpenID).

If you want your users to log in across a network of Drupal sites that share the same second-level domain, you should use Bakery instead of Simple SSO.

If you are not concerned with your users being redirected to another site for authentication, you'd better use CAS or OpenID.

Workflow

Simple SSO uses a two-way communication between a server and multiple clients to establish sessions. When a user logs in on a client site, the server is notified and a session is opened on the server as well as on the client.

When the user navigates to another client site, a round-trip is made to the server to check if the user was already authenticated. If so, a new session is opened on the client site.

This communication happens mainly by means of tokens. Each token contains some user specific data (namely the IP and username). It is encrypted using a symmetric-key algorithm. The strength of the system depends mainly on the strength of the encryption key.

Quick setup

Simple SSO comes with 2 modules, Simple SSO Client and Simple SSO Server. One Drupal site must act as the Simple SSO Server. All other Drupal sites are SSO Clients.

Simple SSO will not automatically create new users on client sites. It's up to the site administrators to make sure all users are shared amongst their Drupal sites (like using a shared user table for a multisite install).

Simple SSO uses a private key for token encryption. This key must be shared across the entire network (clients and server). The key should be added to each sites settings.php file. At the end of the file, add

$conf['simple_sso_key'] = 'YOJlYpWSO4cDW8KnnKeOYImXysLJr6nBt7f07U0'; // The longer and more random, the better.

Remember that the key must be the same for all sites (tip: you can store this key in a plain text file outside the webroot for more security. In that case, just do $conf['simple_sso_key'] = file_get_contents('/path/to/key.txt');).

For each client site, go to the settings page and set the address for the SSO Server site and you're good to go. Simple SSO will automatically start logging in users across your site network.