?
Solved

SSO for multiple second level domains

Posted on 2010-09-16
6
Medium Priority
?
493 Views
Last Modified: 2012-05-10
Hello -

How do I implement a Single Sign On (SSO) or something similar in functionality to work with multiple web applications using the same .NET 3.5 Membership database on MS SQL server 2005?

Some of the web apps use the same second-level domain names e.g. a.site1.com and b.site1.com, however one has a different second level e.g. www.site1.com and www.site2.com

The desired functionality is for a single logon and authentication that will 'travel' across the multiple web applications.

Thanks in Advance!!
0
Comment
Question by:suzywal
  • 3
  • 3
6 Comments
 

Author Comment

by:suzywal
ID: 33704293
Please note that all domains/applications are hosted on the same server.

Thanks!
0
 
LVL 39

Expert Comment

by:Adam314
ID: 33706052
Normally within a single domain, the server would create a session it stores on the server, associates it with an ID, then sends a cookie to the client with the ID in the.  Then the client sends the ID cookie to the server on all subsequent requests, and the server can retrieve the session data with the ID.

The problem with your scenario is the client won't send one domain's cookie to another domain.  A few ways to solve this I can think of:

1) If everytime a user goes from site1.com to site2.com (or vice versa), it is through a link, you can include the session ID in the link, then the next site can use that to read the session, and create it's own session cookie.
  eg:
    user is on site1.com
    user logs in, site1.com creates session with ID 12345, and sends cookie to client
    link to site2.com is:    site2.com/some.page?session_id=12345
    site2.com reads session_id from URL, access session, and sends cookie to client

2) If option 1 isn't possible, you could use the client's IP address.  When a session is created, store which domain on which it was created, and the users IP address.  Then, when you check for an existing session, if the user doesn't supply a session ID (which normally mean there is no session for this user), when if there is a session for the users IP address that was created in a different domain.  If so, use that session.
The problem with this is if there are multiple users that share the same public IP address, you won't be able to distinguish them, and may give the user the wrong session.
0
 

Author Comment

by:suzywal
ID: 33729381
Thank you for your post, it got me thinking, perhaps misguided thinking…

Lets say that we are limiting this to two 2nd level domains:

Can one artificially create two cookies upon login for both domains…

 

Such as on a page used as a “control panel”: login once there and it could bring in pieces of each site in  … to give the user a high-level quick-look … etc …
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
LVL 39

Expert Comment

by:Adam314
ID: 33730486
I don't believe that a browser will accept a cookie from one domain for another - this would create a possible security hole.
0
 

Author Comment

by:suzywal
ID: 33746953
Please debunk the following bad idea / contradict it with thoughts of alternative solutions please…

 

what about having browsers/windows (child) within another (parent) browser? (not necessairly visible)

 

For example: a.com has would somehow have (b.com, c.com) inside of it... therby generating the cookies?

 

In any case, the original directive was to redirect all login attempts (from any domain/page) to a centralized area providing a 'control panel' ... could this or alternative concepts be adapted to solve both; the control panel idea and the multiple cookie issue?
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 2000 total points
ID: 33750629
You could do this using a variation of suggestion 1 in my first post.

When someone goes to a site, if they do not have a session, redirect them to the login site.
From the login site, once someone logs in, create a session, and give them a page with an iframe for each other site, passing the session id.

For example:
main login site is main-login-site.com.
User goes to site-a.com, and is not logged in.  They are redirected to main-login-site.com.
User logs in.  If successful, a session is created, and they are given a page with:
<iframe src="site-a.com/login.cgi?session=$session" width="1" height="1"/>
<iframe src="site-b.com/login.cgi?session=$session" width="1" height="1" />
.... and so on for all sites

Then the login.cgi page on all the other sites will get the session ID from the QUERY_STRING, and create a session cookie.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Australian government abolished Visa 457 earlier this April and this article describes how this decision might affect Australian IT scene and IT experts.
Dramatic changes are revolutionizing how we build and use technology. Every company is automating, digitizing, and modernizing operations. We need a better, more connected way to work together as teams so we can harness the insights from our system…
The viewer will learn how to look for a specific file type in a local or remote server directory using PHP.
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).
Suggested Courses
Course of the Month16 days, 1 hour left to enroll

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question