Single Sign On with Ajax in same origin policy world - effective solutions

What is the best approach to realize Single Sign On (SSO) with Ajax. The biggest problem which is appeared is same origin policy.

I've searched google and there are many 'hacks' to do this. But I have to support even old browsers (e.g. IE6). And these hacks aren't always working

The propositions of solutions and disadvatages:

• change document domain // it is not working in Ajax way
开发者_如何学运维
• JSNOP // require passing credentials in GET so it is insecure
• CORS // only new browsers: IE8+, FF3.5+
• Flash API // The browser has to have a flash plugin
• easyXDM // It seems to be the famous solutions (Twitter uses it).

PS. Has anybody tested the easyXDM in ie6?

One simple way to do this is to write a simple web service on your domain that proxies to the SSO domain. No browser deps, simple to implement (relatively), and not a hack.

Note that if your SSO solution does not handle authorization (i.e. role info to restrict user actions), your server app will need to do this, in which case you will have to proxy to set up authorization in your app.

OpenID seems to be good enough for StackOverflow: http://openid.net/developers/

You aslo can use iframe and url fragment to passing messages between different domains. It supports all the browser and no plugin required. This is the link for the details of this genius solution,http://softwareas.com/cross-domain-communication-with-iframes