Implementing a Single Sign On solution for web applications?

I am wanting to test run a Single Sign On web authentication for my University (currently a student employee), I have been reading a lot about WebAuth used by other Universities. While I think the solutions are great, we are a very 'small time' University, but the current login syste开发者_如何学Pythonm and authentication is horrible for the user experience (login for each service), and would greatly benefit from a system like these.

Before I go to IT with my solution, I would like to research and learn as much as I can, and identify some of the security issues. Currently I am the only php developer and am transitioning to .NET, ideally I would like to have a way for both systems to authenticate.

As mentioned, I have read a lot, but don't really have the 'Network Admin' background to understand how some of the pieces fit together, where/how do I start to build a test system?

The emerging solution to SSO challenges is Claims-Based Identity based on Open Standards.

On the .NET platform, Microsoft now offers Windows Identity Foundation (WIF) that provides building blocks for enabling (web) applications with these protocols.

I don't know which frameworks are available on other platforms, but it's important to keep in mind that WIF is just Microsoft's implementation of these open standards, so (in theory at least) it should work with other platforms as well.

If you are from a U.S. university, I would investigate Shibboleth, which is a standard SSO auth provider used by many schools.

It also doubles as a mechanism to verify that a user on other, non-school web sites, are in fact students. Microsoft uses this, for example, to verify student status prior to giving students free download access to software on DreamSpark.

The grand-daddy of all single-sign on systems is Kerberos - which was developed at MIT in the 1980's. It might be overkill for a simple web single-sign on but it's comprehensive and supported by every OS.

http://www.kerberos.org/

Check out LDAP? Something like:

using System.DirectoryServices;

private bool AuthenticateUser(string username, string password)
    {
        String strLdap = "LDAP://YOURACTIVEDIRECTORYSERVER/CN=" + username + ",OU=" + username[0];
        user = new DirectoryEntry(strLdap, username, password, AuthenticationTypes.Secure | AuthenticationTypes.Encryption);
        try
        {
            // Bind to the native AdsObject to force authentication.
            Object obj = user.NativeObject; // Will throw an exception if not authenticated
            return true; // User is authenticated
        }
        catch
        {
            return false; // User is not authenticated            
        }
    }

Look into SAML: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language