Cross Domain Single Selective Sign In

Question

Its not explicitly cross domain sessions that I am looking for, but its the easiest way to explain what it is I want.

I have a system which creates websites. The we

Answer 1

As @keturn explained, OpenID does not allow implicit trust without tricking the system, which is why I wouldn't recommend it for this specific problem. Instead, I'd have a look at Shibboleth - a Single-Sign-On intended for a decentralized architecture.

Let's assume the website master.example.com is linked to the website child.example.com, so that master.example.com provides login functionality for child.example.com. A user with a registered login on master.example.com would now like to access a resource http://child.example.com/resource, which is members-only. Now, Shiboleth kicks in:

1. Authentication: Does the user have a security token?
   1. If the user already has a security token from master.example.com, it is checked for validity and the process continues at step 2.
   2. If the user does not have a valid token, he is forwarded to a login site, e.g. http://master.example.com/login. After login, the user is forwarded to step 1.
2. Authorization (optional): master.example.com may allow or disallow access to a specific resource on child.example.com by providing additional information (e.g. a specific forum on child.example.com is only accessible to premium members of master.example.com. The information of the member status of the user is only visible to master.example.com, so he has to allow or deny the access).

Shibboleth implementations are available on many services like apache2 or on application level like in php (e.g. SimpleSAML).