Solved

SSO for multiple second level domains

Posted on 2010-09-16
6
472 Views
Last Modified: 2012-05-10
Hello -

How do I implement a Single Sign On (SSO) or something similar in functionality to work with multiple web applications using the same .NET 3.5 Membership database on MS SQL server 2005?

Some of the web apps use the same second-level domain names e.g. a.site1.com and b.site1.com, however one has a different second level e.g. www.site1.com and www.site2.com

The desired functionality is for a single logon and authentication that will 'travel' across the multiple web applications.

Thanks in Advance!!
0
Comment
Question by:suzywal
  • 3
  • 3
6 Comments
 

Author Comment

by:suzywal
ID: 33704293
Please note that all domains/applications are hosted on the same server.

Thanks!
0
 
LVL 39

Expert Comment

by:Adam314
ID: 33706052
Normally within a single domain, the server would create a session it stores on the server, associates it with an ID, then sends a cookie to the client with the ID in the.  Then the client sends the ID cookie to the server on all subsequent requests, and the server can retrieve the session data with the ID.

The problem with your scenario is the client won't send one domain's cookie to another domain.  A few ways to solve this I can think of:

1) If everytime a user goes from site1.com to site2.com (or vice versa), it is through a link, you can include the session ID in the link, then the next site can use that to read the session, and create it's own session cookie.
  eg:
    user is on site1.com
    user logs in, site1.com creates session with ID 12345, and sends cookie to client
    link to site2.com is:    site2.com/some.page?session_id=12345
    site2.com reads session_id from URL, access session, and sends cookie to client

2) If option 1 isn't possible, you could use the client's IP address.  When a session is created, store which domain on which it was created, and the users IP address.  Then, when you check for an existing session, if the user doesn't supply a session ID (which normally mean there is no session for this user), when if there is a session for the users IP address that was created in a different domain.  If so, use that session.
The problem with this is if there are multiple users that share the same public IP address, you won't be able to distinguish them, and may give the user the wrong session.
0
 

Author Comment

by:suzywal
ID: 33729381
Thank you for your post, it got me thinking, perhaps misguided thinking…

Lets say that we are limiting this to two 2nd level domains:

Can one artificially create two cookies upon login for both domains…

 

Such as on a page used as a “control panel”: login once there and it could bring in pieces of each site in  … to give the user a high-level quick-look … etc …
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 39

Expert Comment

by:Adam314
ID: 33730486
I don't believe that a browser will accept a cookie from one domain for another - this would create a possible security hole.
0
 

Author Comment

by:suzywal
ID: 33746953
Please debunk the following bad idea / contradict it with thoughts of alternative solutions please…

 

what about having browsers/windows (child) within another (parent) browser? (not necessairly visible)

 

For example: a.com has would somehow have (b.com, c.com) inside of it... therby generating the cookies?

 

In any case, the original directive was to redirect all login attempts (from any domain/page) to a centralized area providing a 'control panel' ... could this or alternative concepts be adapted to solve both; the control panel idea and the multiple cookie issue?
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 33750629
You could do this using a variation of suggestion 1 in my first post.

When someone goes to a site, if they do not have a session, redirect them to the login site.
From the login site, once someone logs in, create a session, and give them a page with an iframe for each other site, passing the session id.

For example:
main login site is main-login-site.com.
User goes to site-a.com, and is not logged in.  They are redirected to main-login-site.com.
User logs in.  If successful, a session is created, and they are given a page with:
<iframe src="site-a.com/login.cgi?session=$session" width="1" height="1"/>
<iframe src="site-b.com/login.cgi?session=$session" width="1" height="1" />
.... and so on for all sites

Then the login.cgi page on all the other sites will get the session ID from the QUERY_STRING, and create a session cookie.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
The viewer will learn how to count occurrences of each item in an array.
Any person in technology especially those working for big companies should at least know about the basics of web accessibility. Believe it or not there are even laws in place that require businesses to provide such means for the disabled and aging p…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now