Solved

SSO with Shared Credential Repository or what?

Posted on 2008-06-22
8
431 Views
Last Modified: 2010-04-06
We are next to develop a small network of portals starting from a first successful one.
Now since I'm the developer (the only one...) the first issue to deal with was having a single authentication system for all the network.
We will first port the site from ASP to ASP.NET and then clone it for the network. This means I'll write the portal from basics using the advantages of ASP.NET.
I ready many useful posts on the net about SSO and about SSO with a Shared Credential Repository (SCR) in .NET but none of those went far from "how" you develop it.
My problem is not how to setup the login/cookie thing but how to manage users AFTER their id and pass has been checked.
I mean, after the user is logged, I may have different roles in one application and other roles in another one. He may be an editor in one application and only a reader in the other one, or maybe have mixed roles based on categories of the contents in both applications.
Also when this user insert something in that application db (for example an article), how do I tied the article to that user in that application DB if I don't have a user db there but is in a shared repository?
To better understand here is a pratical example:
We have 2 portals making up the network: dogs and cats
In the dogs portal the user can write articles in the categories "dog therapy", "dog food".
In the cats portal the user can write in articles in the category "how dogs beat cats up!"
The problem I'm facing is how to manage this kind of situation with a SSO and how I bind the records (the articles) to the user with a Shared Repository.
And if I don't use a Shared Repository ho can I sync several user credientials and profiles over severals DBs of the portal network?
This is the real question ..... and I found no hint on the net.

Thanks in advance.
0
Comment
Question by:ziocantante
  • 4
  • 3
8 Comments
 
LVL 6

Expert Comment

by:kennethfine
ID: 21843230
Don't reinvet the wheel. This has been done for you. Have you looked at the ASP.NET Roles, Profiles, and Membership service?

Here is a 10-part series for you to explore:
http://aspnet.4guysfromrolla.com/articles/120705-1.aspx

Organizationally, you would want to set up roles for each of your apps. A given user could have different "roles" in different apps:
App1Editor
App2Contributor
App3ReadOnly

A great strength of the ASP.NET Roles system is that it is simply stored in a database. You can sync that by any of a number of means: manually, via SQL Server Database Mirroring, Log Shipping, Transactional Replication.

Happy Programming!
0
 

Author Comment

by:ziocantante
ID: 21844623
Thanks for your answer Kenneth. Even if I'm still far from deepening my knowledge in ASP.NET services you listed, I got an overview of their capabilities.
I had a very fast reading at the resource you pointed as well and it's a very good insight in those things.
Anyway the conceptual problem still remains.
It' ok to use roles and profiles and membership but how you tie those to users in a single DB used for SSO. Or if you don't opt for the single DB how do you manage the SSO with users spanned in different DBs in the network? I think the first thing is to decide if it's better to go with a Shared Credential Repository or to have multiple users tables, one for each application (in this case your suggestion for mirroring could be useful I'll take a look).
If you go for a dedicated single users DB, how do you tie different roles to them in different application and most of all how do you tie records in the various DB/apps to a particular user whose ID resideds in a different DB?
If you go for multple users DB instead, how can you be sure that some informations (like password and some profilation) are synced in all DBs, so that if a user changes his pass in one, the pass is changed in all other applications of the network?
Do you have to "hard-code" it, or the syncing methods you listed are somehow automated process?
Wich one of the 2 strategies would you follow?
0
 
LVL 13

Expert Comment

by:joechina
ID: 21859993
Hi, ziocantante,

My understanding is you want a user to access two different websites with only one login.

If you are in an intranet environment and both of your sites are hosted by IIS (ASP.NET application), you can achieve this through an Active Directory server. So both of your applications are using windows integrated authentication.

But if you have to use form's authentication, I believe unless you setup an authentication service, you won't be able to do what you want. Because the browser does not know to send a creditial of another site to the site the user is accessing. (A huge security issue)

So my suggested solution is:
Setup a web application just does the authentication. After the user is authenticated then forward the user's request to your real applications with user's credential based on requested URL.
I mean instead of hitting www.dog.com or www.cat.com, the user should hit www.authenticate.com/dog or www.authenticate.com/cat.

As to the roles and privileges, you can assign a user to multiple roles, then you check whether the user is in a specific role in the code.

All three application should point to the same user credential and membership storage.

Hope it helps
0
 

Author Comment

by:ziocantante
ID: 21860482
Thanks Joe for your answer.
I've read something and it seems you can do this with form autentication even between different domains settin up the same value in the machineKey.
By the way, assuming the solution you propose (with Shared Credential Repository) I still don't understand how to link records in the different DBs of the different apps, if the user table is on a separate DB.
I mean... the user autenticathes in the central DB. Then when he tries to insert a record in the "cat site" how do you tie this record to the user? And how you give differente permission on different categories in the cat site and in the dog site if you don't have a user and a user/category table for both sites?
I hope this is clear now.
Thanks for your help btw
0
6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

 
LVL 13

Expert Comment

by:joechina
ID: 21861682
It would be interesting to read the article you mentioned.

The user id in the user database will be used to record the user for both site.
Basically, your dog and cat applications have two connections, one to user DB and the other to it's own database.

As to the permission, say you have a user in database, you can create two roles in database, and one is doguser role and the other is catuser. So in you dog site, you just check whether a user is in doguser role.

If you have a dedicated authentication server, after the user is authenticated, the server will forward the request to your application with user's credential. One thing you might have to do is when a user signs off from your dog/cat application, you need to notify the central server as well.
0
 

Author Comment

by:ziocantante
ID: 21863940
Let's assume you have the userID in the central usser database of course, and imagine you insert an article with just "userID" "title" "description" in the "cat" application.
You'll have a record like this:
UserID: 1
Title: "Some title"
Fulltext: "Some text"

Isn't this pretty useless to have the userID there if you don't have a user table in the cat db? I cannot of course do an additional select to the central DB each time I want to display an article, alse you loose all "relationships" in the tables.
0
 
LVL 13

Accepted Solution

by:
joechina earned 400 total points
ID: 21866456
It depends on how you want to design your database.

The central user database is a logical database or storage. It can be a separate schema or even a set of tables within the same schema of cat/dog database.  

Even it's on a different instance of database, you still can access it through linked server.

Of course, if you want, you can duplicate the user storage to cat and dog databases. But you have to maintain the data integrity through the central authentication service.
0
 

Author Comment

by:ziocantante
ID: 21868077
Thanks for your patience Joe... I still think a very complex thing to manage but at least now I know it's not so easy as many solutions (all of them) you find around want you to think at a first glance.
The difficulty is not in the token management but what comes after it!
I think the best solution would be to have a central DB with basic info and then duplicate it on "host" apps, in that case though you have to be sure about integrity of course as you suggest.
I didn't understand very muscj the "linked server" / "single schema" thing though but I will do some searches.
Thanks so far.
Any other suggestion based on real experience is always welcome though....
0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

It was really hard time for me to get the understanding of Delegates in C#. I went through many websites and articles but I found them very clumsy. After going through those sites, I noted down the points in a easy way so here I am sharing that unde…
JSON is being used more and more, besides XML, and you surely wanted to parse the data out into SQL instead of doing it in some Javascript. The below function in SQL Server can do the job for you, returning a quick table with the parsed data.
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Viewers will learn how the fundamental information of how to create a table.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now