multi-domain SSO with IP.board 4

IP.board 4 is coming and the dev team of Invisionpower expose more and more new features. One of the most interesting is the ability to allow multi-domain SSO through IPS.connect. This is one of the most wanted features for IPBWI for WordPress and here are my thoughts about it:

Normally, multi-domain SSO isn’t wanted due to security policies of the browser developers (see same-origin-policy).

There is a good reason for that: It prevents cookie stealing through e.g. malwared adservers. There were some ways with Javascript to avoid that issue, but as JS is a client-side way of data handling, there is always a new security hole – even if you checked your code thousand times. So I knew a way, but I decided not to offer that out-of-the-box to prevent security issues on your sites.

IP.board 4 now introduces another way which allows multi-domain-login via redirects. I’d assume they make a handshake, some database queries and on success, redirect the user with a positive one-time hash key back to the original site.

And here comes IPBWI: I’ll take a closer look on that feature once it’s released, to allow this SSO tech through IPBWI, too. Additionally, I’ll implement that into IPBWI for WordPress, too.

So it may take a few weeks after IP.board 4 release to make it stable and robust, but I will adapt that feature, too.

And if someone is wondering wether you’ll need a full new license for IPBWI 4 (which will be a new major version number corresponding with IP.board 4), I can say: no. You may renew your license for 29 bucks to get the latest update, but you are not required to update and if you are still having an active license, you don’t need to pay any extra charge for the new major version.