Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 394
  • Last Modified:

How do i Set up a "SINGLE-SIGN-ON SERVER" to share credentials for mulitple asp.net applications

I need to share login credntials for applications accross domains that do not have a common ancestor, e.g.

http://secrets.com/
http://mysteries.com/

There is no way to set a cookie that is included in requests to both these domains.

In this case we need a third server, the SSO server, whose purpose is to keep track of who is logged in. When you visit a page on secrets.com, if its cookie is not set, it consults the SSO server to find if the user is already logged in, in which case it silently creates the cookie and carries on as if they had already been logged in.

Can anyone reommend a way to do this via .net - or if there are any open source solutions to do this ?
0
paulCardiff
Asked:
paulCardiff
  • 3
  • 2
2 Solutions
 
Ted BouskillSenior Software DeveloperCommented:
Developers are allowed to build websites using the 'Live ID' (formerly passport) service.  http://dev.live.com/liveid/

I don't know of any open source projects.  This type of technology is complex to build properly if security is an issue.  Making it open source exposes weaknesses.
0
 
paulCardiffAuthor Commented:
Is this free for commerical use and can i programatically create accounts for my clients?
0
 
yossi_intlockCommented:
try this (i assume that you are working with .net v 2.0 and using forms authentication): when the user sign in to one application on a domain - encrypt the auth cookie youself - you can do it by overriding the OnAuthenticate .net method.  now when the user moves to the second domain try to read this cookie by its domain name. if you  got that cookie you can decrypt it and find out the logon credencials.  you can do that by adding a global.asax file to both applications. use the Session_Start() method for reading and decrypt the auth cookie.
i havent tested this yet but i think this might work for you.  
0
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!

 
yossi_intlockCommented:
i realize now that you cannot read a cookie that belong to A domain from B domain... :) but - you can still check the referer on Session_Start() in the global.asax file and if the referrer was A domain you can call a webservice on that A domain that can get those credentials for the A domain cookie and authenticate the user.
0
 
yossi_intlockCommented:
im glad that i could help. if the solution worked for you or you found another way please tell us so we can enrich our knowledge. thanks..
0
 
paulCardiffAuthor Commented:
Sure please review the following link for more info i.e. http://forums.asp.net/t/1005856.aspx 
0

Featured Post

Identify and Prevent Potential Cyber-threats

Become the white hat who helps safeguard our interconnected world. Transform your career future by earning your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now