About 3 times in my career now I have listened to people come up with large webservice designs and token generation systems to get round sending a use off to another system/company while providing the other company a lump of information to give with them.
The systems normally involve calling a web service at the destination, send a load of data to them. Them storing it in a database, giving you back a guid or int which identifies that record, then you redirecting the user to them with that ID in the query string.
Then when the user gets there, they load all the data from the database and do what they will with it. There is also always some planning for cleaing up after users that don’t successfully redirect and removing the useless rows in the DB.
There are always issues with calling the webservices through firewalls and allowing it at both ends for the right ips etc.
These are all attributes of a complex integration framework for when there is no other option.
3 Times no I have spoken up with a simple suggestion that wipes all of that complexity out.
3 times this has been implemented in a few hours with no firewall changes, db implementation or any of the other complexity and people always are amazed it wasn’t thought of earlier.
For future reference everybody, the one person on the web who has existing connectivity to you and a third party and is in a perfect position to initiate and manage the user sessions is – the user.