Single Sign On with Ajax in same origin policy world - effective solutions

Question

What is the best approach to realize Single Sign On (SSO) with Ajax. The biggest problem which is appeared is same origin policy.

I've searched google and there are many 'hacks' to do this. But I have to support even old browsers (e.g. IE6). And these hacks aren't always working

The propositions of solutions and disadvatages:

• change document domain // it is not working in Ajax way
• JSNOP // require passing credentials in GET so it is insecure
• CORS // only new browsers: IE8+, FF3.5+
• Flash API // The browser has to have a flash plugin
• easyXDM // It seems to be the famous solutions (Twitter uses it).

PS. Has anybody tested the easyXDM in ie6?

Answer 1

One simple way to do this is to write a simple web service on your domain that proxies to the SSO domain. No browser deps, simple to implement (relatively), and not a hack.

Note that if your SSO solution does not handle authorization (i.e. role info to restrict user actions), your server app will need to do this, in which case you will have to proxy to set up authorization in your app.