I had a job interview today, and one of the "challenges" with which I was presented was this: "We own several sites. We would like our user to be able to log into the central site as a subscriber, and then all the other sites will know what permissions that user has."
The sites are cooperative, so getting content onto each one to support this idea isn't difficult. Also, all of the sites belong to the same user, so getting a regular framework that you can deploy to all of them isn't difficult either.
The scenario we want to support is this. We have two websites, the remote authentication server framework. Let's call it "rasf.com" (which, sadly, does not go to rec.arts.sf.written), and let's call the site that wants authentication "brandx.com." (Sadly, this is a parked site that leads to a stock photography reseller.) The idea is that you're a subscriber to rasf.com. You visit brandx.com, and Brand-X initially has no idea who you are. We want Brand-X to be able to say, "Hey, Rasf, who is this guy?" and have Rasf come back "Oh, he's John Smith, he's a legit user, and here are some details."
Assumption: You've visited Rasf recently, and have a cookie from Rasf saying "Yes, I, Joe Smith, and a valid user of Rasf and affiliated sites!"
You access a page from Brand-X. Secretly, Brand-X creates a one-pixel-wide iframe and set the iframe's src attribute to the "authenticate this user" page on Rasf, including in the request its public key as an argument. After the iframe loads, the loaded page from Rasf now has the session information on the browser, and it has Brand-X's public key. The session information includes the Rasf cookie. So now, Rasf knows two things: it knows who you are, and it knows that Brand-X wants to know who you are.
How does that who you are information get back to Brand-X? Here's where the cooperation comes from. The iframe from Rasf, using the onload() event, creates yet another iframe, this time calling back to a specified page (the cross-domain receiver page) on Brand-X's site, and that URL is loaded with your user ID, a cross-domain session key, and other information, all signed with the Rasf private key (so the Brand-X site can unpack with Rasf's known public key).
There are lots of other details here. What if he's not logged in to Rasf at all? Well, enlarge the 1-pixel iframe to a size big enough to show a log-in within the Rasf domain, get his username and password, authenticate and proceed as before.
This is a generic description of what Facebook Connect does, and it's how you can do it as well.