Solved

SSO for multiple second level domains

Posted on 2010-09-16
6
488 Views
Last Modified: 2012-05-10
Hello -

How do I implement a Single Sign On (SSO) or something similar in functionality to work with multiple web applications using the same .NET 3.5 Membership database on MS SQL server 2005?

Some of the web apps use the same second-level domain names e.g. a.site1.com and b.site1.com, however one has a different second level e.g. www.site1.com and www.site2.com

The desired functionality is for a single logon and authentication that will 'travel' across the multiple web applications.

Thanks in Advance!!
0
Comment
Question by:suzywal
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
6 Comments
 

Author Comment

by:suzywal
ID: 33704293
Please note that all domains/applications are hosted on the same server.

Thanks!
0
 
LVL 39

Expert Comment

by:Adam314
ID: 33706052
Normally within a single domain, the server would create a session it stores on the server, associates it with an ID, then sends a cookie to the client with the ID in the.  Then the client sends the ID cookie to the server on all subsequent requests, and the server can retrieve the session data with the ID.

The problem with your scenario is the client won't send one domain's cookie to another domain.  A few ways to solve this I can think of:

1) If everytime a user goes from site1.com to site2.com (or vice versa), it is through a link, you can include the session ID in the link, then the next site can use that to read the session, and create it's own session cookie.
  eg:
    user is on site1.com
    user logs in, site1.com creates session with ID 12345, and sends cookie to client
    link to site2.com is:    site2.com/some.page?session_id=12345
    site2.com reads session_id from URL, access session, and sends cookie to client

2) If option 1 isn't possible, you could use the client's IP address.  When a session is created, store which domain on which it was created, and the users IP address.  Then, when you check for an existing session, if the user doesn't supply a session ID (which normally mean there is no session for this user), when if there is a session for the users IP address that was created in a different domain.  If so, use that session.
The problem with this is if there are multiple users that share the same public IP address, you won't be able to distinguish them, and may give the user the wrong session.
0
 

Author Comment

by:suzywal
ID: 33729381
Thank you for your post, it got me thinking, perhaps misguided thinking…

Lets say that we are limiting this to two 2nd level domains:

Can one artificially create two cookies upon login for both domains…

 

Such as on a page used as a “control panel”: login once there and it could bring in pieces of each site in  … to give the user a high-level quick-look … etc …
0
Get Actionable Data from Your Monitoring Solution

Your communication platform is only as good as the relevance of the information you send. Ensure your alerts get to the right people every time with actionable responses. Create escalation rules that ensure everyone follows the process and nothing is left to chance.

 
LVL 39

Expert Comment

by:Adam314
ID: 33730486
I don't believe that a browser will accept a cookie from one domain for another - this would create a possible security hole.
0
 

Author Comment

by:suzywal
ID: 33746953
Please debunk the following bad idea / contradict it with thoughts of alternative solutions please…

 

what about having browsers/windows (child) within another (parent) browser? (not necessairly visible)

 

For example: a.com has would somehow have (b.com, c.com) inside of it... therby generating the cookies?

 

In any case, the original directive was to redirect all login attempts (from any domain/page) to a centralized area providing a 'control panel' ... could this or alternative concepts be adapted to solve both; the control panel idea and the multiple cookie issue?
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 33750629
You could do this using a variation of suggestion 1 in my first post.

When someone goes to a site, if they do not have a session, redirect them to the login site.
From the login site, once someone logs in, create a session, and give them a page with an iframe for each other site, passing the session id.

For example:
main login site is main-login-site.com.
User goes to site-a.com, and is not logged in.  They are redirected to main-login-site.com.
User logs in.  If successful, a session is created, and they are given a page with:
<iframe src="site-a.com/login.cgi?session=$session" width="1" height="1"/>
<iframe src="site-b.com/login.cgi?session=$session" width="1" height="1" />
.... and so on for all sites

Then the login.cgi page on all the other sites will get the session ID from the QUERY_STRING, and create a session cookie.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When crafting your “Why Us” page, there are a plethora of pitfalls to avoid. Follow these five tips, and you’ll be well on your way to creating an effective page.
When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
The viewer will get a basic understanding of what section 508 compliance can entail, learn about skip navigation links, alt text, transcripts, and font size controls.
The is a quite short video tutorial. In this video, I'm going to show you how to create self-host WordPress blog with free hosting service.

718 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question