Best practice to authenticate third party to a website?

Question

I've a website built with ASP.NET, and uses Cookie based Forms Authentication to protect it self from unauthorized access.

It also has a REST based API which uses API key based Authentication. (Key is distributed separately).

We've a case where one of our customers want to embed certain pages from our site inside their own site (using an IFRAME). That customer will also have many other customers who authenticate with customer's site.

What are the best ways to authenticate these third party customers temporarily into our site? Are there any accepted patterns for this kind of scenarios?

Not an answer, but you could make use of `onmessage` and `postMessage` to authenticate users coming from the parent frame. — Loïc Faure-Lacroix, Aug 23 '15 at 11:43

score 1 · Answer 1 · answered Aug 28 '15 at 17:42

It's not clear if your customer's website is using authentication. If you want a Single Sign On (SSO) solution, you'll need to find a common identity provider for both websites or look into identity federation.

You probably want to look at supporting some kind of token based authentication scheme. You'll need a Security Token Service (STS) like for example ADFS or Ping Identity which can issue tokens trusted by your site and also federate with your customers identity provider.

These issued tokens can also be used to authenticate with your web API.

Best practice to authenticate third party to a website?

1 Answers1