I have 3 applications which need to talk to each other using a combination of SSO, https and devise for authentication. What I'm trying to figure out is how to perform a sign in on one rails application and have the relevant (cookies, sessions, whatever) passed down the chain so that an external web browser can view the information.

Here is the flow of the 3 applications.

• The first application is a WEB PORTAL. It sends a bunch of sso (single sign on) related strings to an api.
• A second API_APP application validates the information and passes it on to a rails application.
• This RAILS_APP application validates the api's information and signs in the user using devise's "sign_in_and_redirect" helper method

Now heres the tricky part. How do I pass the information from RAILS_APP back along the chain to the WEB_PORTAL so that it can view the web portal can view the signed in users account?

Some more information:

I admit the architecture is less than ideal but unfortunately it cannot be changed at this time. The WEB_PORTAL implementation is not so important but I think the API_APP is going to need some work.

API_APP formats the information into a net http request like so

uri = URI.parse(MY_RAILS_APP_URI)
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Post.new(uri.request_uri, initheader = {'Content-Type' =>'application/json'})
request.body = {"email" => email, "id" => id, "email" => email, "timestamp" => timestamp, "token" => token}.to_json
response = http.request(request)
location = response.header['location'] #if the RAILS_APP returns a 302

Any thoughts on how to get the WEB_PORTAL signed in?

I've had a similar problem fixed by having my cookies set to include all subdomains. I don't know if that is possible for you. I had foo.example.com sharing cookie information with bar.example and www.example.com. Might also work in your case I believe.