Each actor in the standard WIND authentication system has a small well-defined set of responsibilities.
Web Browser
The web browser must support making an SSL connection.
WIND server
Accept authentication requests at a well known URI.
On success, redirect users to their destination with an addtional parameter, ticketid.
On failure, report an error and allow retry.
Accept and answer ticket validation requests at a well known URI.
Maintain a log of authentication and ticket validation attempts and results.
Only allow tickets to be used once.
Destination site
Provide a mechanism for browsers wishing to log in to be redirected to the WIND Authentication server.
Establish a destination URI, where browsers are directed after authenticating. At this URI browsers must present a valid authentication ticket.
Check the validity of all tickets, by making a request to the validation URI on the WIND server. SSL must be used for this request.