multi-domain SSO with IP.board 4

IP.board 4 is coming and the dev team of Invisionpower expose more and more new features. One of the most interesting is the ability to allow multi-domain SSO through IPS.connect. This is one of the most wanted features for IPBWI for WordPress and here are my thoughts about it:

Normally, multi-domain SSO isn’t wanted due to security policies of the browser developers (see same-origin-policy).

There is a good reason for that: It prevents cookie stealing through e.g. malwared adservers. There were some ways with Javascript to avoid that issue, but as JS is a client-side way of data handling, there is always a new security hole – even if you checked your code thousand times. So I knew a way, but I decided not to offer that out-of-the-box to prevent security issues on your sites.

IP.board 4 now introduces another way which allows multi-domain-login via redirects. I’d assume they make a handshake, some database queries and on success, redirect the user with a positive one-time hash key back to the original site.

And here comes IPBWI: I’ll take a closer look on that feature once it’s released, to allow this SSO tech through IPBWI, too. Additionally, I’ll implement that into IPBWI for WordPress, too.

So it may take a few weeks after IP.board 4 release to make it stable and robust, but I will adapt that feature, too.

And if someone is wondering wether you’ll need a full new license for IPBWI 4 (which will be a new major version number corresponding with IP.board 4), I can say: no. You may renew your license for 29 bucks to get the latest update, but you are not required to update and if you are still having an active license, you don’t need to pay any extra charge for the new major version.

Posted on by Matthias Reuter

Participate on the Discussion now!

You are a guest

Insufficient rights

Hint: Login or create a member account to improve your posting status.

  1. Hey Matthias,

     

    I'm actually curious if the issue I'm currently having is directly related to this.

     

    I haven't launched my new sites yet but I'm having a problem on my dev environment.

     

    Basically, I have two websites (two different domains) and they are both part of the same "network" and they both use IPBWI to connect to a single IPB installation/database.

     

    Right now I'm noticing that if I log into the 1st website, and then log into the 2nd website (different browser) using the same account. I am logged out from the 1st. I am unable to be logged into both websites at the same time.

     

    Is this normal and is this what you're talking about above? I guess it wouldn't be a big problem for my users as it's very unlikely that they would ever want to be logged into to both websites at the same time.. but still.. since they are distinct domains.. I would imagine it would be nice to allow them to be logged into both even if it's using the same IPB installation for auth.

     

    I'd love to hear your feedback on this!

     

    Keep up the fine work!

  2. Hi vesper,

     

    currently, yes, it is a normal behavior of IPBWI for different toplevel/secondlevel - domains. This will be improved on v4 release, so it will allow to stay logged in on completely different domains.

     

    Kind regards,

     

    Matthias

  • Active Users

    • 11 total: 7 guests, 2 members, 2 anonymous
    • Members Online:
  • Statistics

    • Total Topics: 2576
    • Total Posts: 282554
    • Total Members: 3673
    • Newest Member: WickedGamingUK
    • Online At Once Record: 9779 @ 16.03.2014