I need to create a single sign-on structure and my question is: is SSL a must?Details:The application will have a link to my web application. When the user clicks that link, their local username will be passed to my web app at which point a look-up in a mapping file is done. If that local username exists in the map, then the user is logged in. If not, then the user will be prompted to enter their network username and password, and when authenticated, an entry in the map will be created.How do I ensure that user is who they say they are and not Joe Blow from off the street sending in an HTTP POST request with that username?Do I have to use SSL (and if so, what does that entail)? Would adding a salt and encrypting the username be sufficient? Maybe locking it down so the source IP has to be within a controlled range?My web app runs on IIS 6/7 and uses the ASP.NET MVC framework, if that is important.