Solved

SSO for multiple second level domains

Posted on 2010-09-16
6
474 Views
Last Modified: 2012-05-10
Hello -

How do I implement a Single Sign On (SSO) or something similar in functionality to work with multiple web applications using the same .NET 3.5 Membership database on MS SQL server 2005?

Some of the web apps use the same second-level domain names e.g. a.site1.com and b.site1.com, however one has a different second level e.g. www.site1.com and www.site2.com

The desired functionality is for a single logon and authentication that will 'travel' across the multiple web applications.

Thanks in Advance!!
0
Comment
Question by:suzywal
  • 3
  • 3
6 Comments
 

Author Comment

by:suzywal
ID: 33704293
Please note that all domains/applications are hosted on the same server.

Thanks!
0
 
LVL 39

Expert Comment

by:Adam314
ID: 33706052
Normally within a single domain, the server would create a session it stores on the server, associates it with an ID, then sends a cookie to the client with the ID in the.  Then the client sends the ID cookie to the server on all subsequent requests, and the server can retrieve the session data with the ID.

The problem with your scenario is the client won't send one domain's cookie to another domain.  A few ways to solve this I can think of:

1) If everytime a user goes from site1.com to site2.com (or vice versa), it is through a link, you can include the session ID in the link, then the next site can use that to read the session, and create it's own session cookie.
  eg:
    user is on site1.com
    user logs in, site1.com creates session with ID 12345, and sends cookie to client
    link to site2.com is:    site2.com/some.page?session_id=12345
    site2.com reads session_id from URL, access session, and sends cookie to client

2) If option 1 isn't possible, you could use the client's IP address.  When a session is created, store which domain on which it was created, and the users IP address.  Then, when you check for an existing session, if the user doesn't supply a session ID (which normally mean there is no session for this user), when if there is a session for the users IP address that was created in a different domain.  If so, use that session.
The problem with this is if there are multiple users that share the same public IP address, you won't be able to distinguish them, and may give the user the wrong session.
0
 

Author Comment

by:suzywal
ID: 33729381
Thank you for your post, it got me thinking, perhaps misguided thinking…

Lets say that we are limiting this to two 2nd level domains:

Can one artificially create two cookies upon login for both domains…

 

Such as on a page used as a “control panel”: login once there and it could bring in pieces of each site in  … to give the user a high-level quick-look … etc …
0
3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

 
LVL 39

Expert Comment

by:Adam314
ID: 33730486
I don't believe that a browser will accept a cookie from one domain for another - this would create a possible security hole.
0
 

Author Comment

by:suzywal
ID: 33746953
Please debunk the following bad idea / contradict it with thoughts of alternative solutions please…

 

what about having browsers/windows (child) within another (parent) browser? (not necessairly visible)

 

For example: a.com has would somehow have (b.com, c.com) inside of it... therby generating the cookies?

 

In any case, the original directive was to redirect all login attempts (from any domain/page) to a centralized area providing a 'control panel' ... could this or alternative concepts be adapted to solve both; the control panel idea and the multiple cookie issue?
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 33750629
You could do this using a variation of suggestion 1 in my first post.

When someone goes to a site, if they do not have a session, redirect them to the login site.
From the login site, once someone logs in, create a session, and give them a page with an iframe for each other site, passing the session id.

For example:
main login site is main-login-site.com.
User goes to site-a.com, and is not logged in.  They are redirected to main-login-site.com.
User logs in.  If successful, a session is created, and they are given a page with:
<iframe src="site-a.com/login.cgi?session=$session" width="1" height="1"/>
<iframe src="site-b.com/login.cgi?session=$session" width="1" height="1" />
.... and so on for all sites

Then the login.cgi page on all the other sites will get the session ID from the QUERY_STRING, and create a session cookie.
0

Featured Post

3 Use Cases for Connected Systems

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, testing some more, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn by example how to specify CSS selectors for Selenium WebDriver test automation software.
Any business that wants to seriously grow needs to keep the needs and desires of an international audience of their websites in mind. Making a website friendly to international users isn’t prohibitively expensive and can provide an incredible return…
This tutorial demonstrates how to identify and create boundary or building outlines in Google Maps. In this example, I outline the boundaries of an enclosed skatepark within a community park.  Login to your Google Account, then  Google for "Google M…
Learn how to create flexible layouts using relative units in CSS.  New relative units added in CSS3 include vw(viewports width), vh(viewports height), vmin(minimum of viewports height and width), and vmax (maximum of viewports height and width).

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now