Improve company productivity with a Business Account.Sign Up


SSO with Shared Credential Repository or what?

Posted on 2008-06-22
Medium Priority
Last Modified: 2010-04-06
We are next to develop a small network of portals starting from a first successful one.
Now since I'm the developer (the only one...) the first issue to deal with was having a single authentication system for all the network.
We will first port the site from ASP to ASP.NET and then clone it for the network. This means I'll write the portal from basics using the advantages of ASP.NET.
I ready many useful posts on the net about SSO and about SSO with a Shared Credential Repository (SCR) in .NET but none of those went far from "how" you develop it.
My problem is not how to setup the login/cookie thing but how to manage users AFTER their id and pass has been checked.
I mean, after the user is logged, I may have different roles in one application and other roles in another one. He may be an editor in one application and only a reader in the other one, or maybe have mixed roles based on categories of the contents in both applications.
Also when this user insert something in that application db (for example an article), how do I tied the article to that user in that application DB if I don't have a user db there but is in a shared repository?
To better understand here is a pratical example:
We have 2 portals making up the network: dogs and cats
In the dogs portal the user can write articles in the categories "dog therapy", "dog food".
In the cats portal the user can write in articles in the category "how dogs beat cats up!"
The problem I'm facing is how to manage this kind of situation with a SSO and how I bind the records (the articles) to the user with a Shared Repository.
And if I don't use a Shared Repository ho can I sync several user credientials and profiles over severals DBs of the portal network?
This is the real question ..... and I found no hint on the net.

Thanks in advance.
Question by:ziocantante
  • 4
  • 3

Expert Comment

ID: 21843230
Don't reinvet the wheel. This has been done for you. Have you looked at the ASP.NET Roles, Profiles, and Membership service?

Here is a 10-part series for you to explore: 

Organizationally, you would want to set up roles for each of your apps. A given user could have different "roles" in different apps:

A great strength of the ASP.NET Roles system is that it is simply stored in a database. You can sync that by any of a number of means: manually, via SQL Server Database Mirroring, Log Shipping, Transactional Replication.

Happy Programming!

Author Comment

ID: 21844623
Thanks for your answer Kenneth. Even if I'm still far from deepening my knowledge in ASP.NET services you listed, I got an overview of their capabilities.
I had a very fast reading at the resource you pointed as well and it's a very good insight in those things.
Anyway the conceptual problem still remains.
It' ok to use roles and profiles and membership but how you tie those to users in a single DB used for SSO. Or if you don't opt for the single DB how do you manage the SSO with users spanned in different DBs in the network? I think the first thing is to decide if it's better to go with a Shared Credential Repository or to have multiple users tables, one for each application (in this case your suggestion for mirroring could be useful I'll take a look).
If you go for a dedicated single users DB, how do you tie different roles to them in different application and most of all how do you tie records in the various DB/apps to a particular user whose ID resideds in a different DB?
If you go for multple users DB instead, how can you be sure that some informations (like password and some profilation) are synced in all DBs, so that if a user changes his pass in one, the pass is changed in all other applications of the network?
Do you have to "hard-code" it, or the syncing methods you listed are somehow automated process?
Wich one of the 2 strategies would you follow?
LVL 13

Expert Comment

ID: 21859993
Hi, ziocantante,

My understanding is you want a user to access two different websites with only one login.

If you are in an intranet environment and both of your sites are hosted by IIS (ASP.NET application), you can achieve this through an Active Directory server. So both of your applications are using windows integrated authentication.

But if you have to use form's authentication, I believe unless you setup an authentication service, you won't be able to do what you want. Because the browser does not know to send a creditial of another site to the site the user is accessing. (A huge security issue)

So my suggested solution is:
Setup a web application just does the authentication. After the user is authenticated then forward the user's request to your real applications with user's credential based on requested URL.
I mean instead of hitting or, the user should hit or

As to the roles and privileges, you can assign a user to multiple roles, then you check whether the user is in a specific role in the code.

All three application should point to the same user credential and membership storage.

Hope it helps
What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.


Author Comment

ID: 21860482
Thanks Joe for your answer.
I've read something and it seems you can do this with form autentication even between different domains settin up the same value in the machineKey.
By the way, assuming the solution you propose (with Shared Credential Repository) I still don't understand how to link records in the different DBs of the different apps, if the user table is on a separate DB.
I mean... the user autenticathes in the central DB. Then when he tries to insert a record in the "cat site" how do you tie this record to the user? And how you give differente permission on different categories in the cat site and in the dog site if you don't have a user and a user/category table for both sites?
I hope this is clear now.
Thanks for your help btw
LVL 13

Expert Comment

ID: 21861682
It would be interesting to read the article you mentioned.

The user id in the user database will be used to record the user for both site.
Basically, your dog and cat applications have two connections, one to user DB and the other to it's own database.

As to the permission, say you have a user in database, you can create two roles in database, and one is doguser role and the other is catuser. So in you dog site, you just check whether a user is in doguser role.

If you have a dedicated authentication server, after the user is authenticated, the server will forward the request to your application with user's credential. One thing you might have to do is when a user signs off from your dog/cat application, you need to notify the central server as well.

Author Comment

ID: 21863940
Let's assume you have the userID in the central usser database of course, and imagine you insert an article with just "userID" "title" "description" in the "cat" application.
You'll have a record like this:
UserID: 1
Title: "Some title"
Fulltext: "Some text"

Isn't this pretty useless to have the userID there if you don't have a user table in the cat db? I cannot of course do an additional select to the central DB each time I want to display an article, alse you loose all "relationships" in the tables.
LVL 13

Accepted Solution

joechina earned 1200 total points
ID: 21866456
It depends on how you want to design your database.

The central user database is a logical database or storage. It can be a separate schema or even a set of tables within the same schema of cat/dog database.  

Even it's on a different instance of database, you still can access it through linked server.

Of course, if you want, you can duplicate the user storage to cat and dog databases. But you have to maintain the data integrity through the central authentication service.

Author Comment

ID: 21868077
Thanks for your patience Joe... I still think a very complex thing to manage but at least now I know it's not so easy as many solutions (all of them) you find around want you to think at a first glance.
The difficulty is not in the token management but what comes after it!
I think the best solution would be to have a central DB with basic info and then duplicate it on "host" apps, in that case though you have to be sure about integrity of course as you suggest.
I didn't understand very muscj the "linked server" / "single schema" thing though but I will do some searches.
Thanks so far.
Any other suggestion based on real experience is always welcome though....

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In part one, we reviewed the prerequisites required for installing SQL Server vNext. In this part we will explore how to install Microsoft's SQL Server on Ubuntu 16.04.
Without even knowing it, most of us are using web applications on a daily basis.  In fact, Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We generally confuse these web applications to…
Viewers will learn how the fundamental information of how to create a table.
Viewers will learn how to use the SELECT statement in SQL to return specific rows and columns, with various degrees of sorting and limits in place.

606 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question