Well, there are certainly many ways to achieve it, and it can be tricky. I can give you one solution as an example:
Consider two apps on different subdomains:
The Fine Corinthian Turkey Shop (turkey.example.com)
Rent a Baboon (monkey.example.com)
These two web apps want to share signon, and arrange for a third hosted website for their single sign-on:
sso.example.com
Then the flow is:
- Frank visits http://turkey.example.com/orders/12
- Turkey redirects to https://sso.example.com/login
- SSO presents user with login form, validates and issues token
- The token is saved in a cookie on SSO.
- User is now validated on SSO, but needs to get the token back to turkey.
- SSO stores a combination of (Guid, Token, Expiry) on the server, where Guid is a random guid and Expiry is something like 30 seconds.
- SSO sets a secure cookie on *.example.com containing the Guid
- SSO redirects back to http://turkey.example.com/orders/12
- Turkey can now retrieve the ticket from the cookie
- Turkey calls SSO server and exchanges the ticket for the token.
- Turkey stores token in the browser (typically a cookie)
Now let’s imagine that Frank wants some nice juicy baboons to go with that turkey:
- Frank visits: http://monkey.example.com/order-in-bulk
- Monkey sees that Frank has no stored token and redirects to https://sso.example.com/login
- SSO sees that Frank is already logged in as he has a stored token.
- SSO stores a new (Guid, token, expiry) triple on the server
- Process is identical to the initial login the rest of the way