Solved

SSO for multiple second level domains

Posted on 2010-09-16
6
481 Views
Last Modified: 2012-05-10
Hello -

How do I implement a Single Sign On (SSO) or something similar in functionality to work with multiple web applications using the same .NET 3.5 Membership database on MS SQL server 2005?

Some of the web apps use the same second-level domain names e.g. a.site1.com and b.site1.com, however one has a different second level e.g. www.site1.com and www.site2.com

The desired functionality is for a single logon and authentication that will 'travel' across the multiple web applications.

Thanks in Advance!!
0
Comment
Question by:suzywal
  • 3
  • 3
6 Comments
 

Author Comment

by:suzywal
ID: 33704293
Please note that all domains/applications are hosted on the same server.

Thanks!
0
 
LVL 39

Expert Comment

by:Adam314
ID: 33706052
Normally within a single domain, the server would create a session it stores on the server, associates it with an ID, then sends a cookie to the client with the ID in the.  Then the client sends the ID cookie to the server on all subsequent requests, and the server can retrieve the session data with the ID.

The problem with your scenario is the client won't send one domain's cookie to another domain.  A few ways to solve this I can think of:

1) If everytime a user goes from site1.com to site2.com (or vice versa), it is through a link, you can include the session ID in the link, then the next site can use that to read the session, and create it's own session cookie.
  eg:
    user is on site1.com
    user logs in, site1.com creates session with ID 12345, and sends cookie to client
    link to site2.com is:    site2.com/some.page?session_id=12345
    site2.com reads session_id from URL, access session, and sends cookie to client

2) If option 1 isn't possible, you could use the client's IP address.  When a session is created, store which domain on which it was created, and the users IP address.  Then, when you check for an existing session, if the user doesn't supply a session ID (which normally mean there is no session for this user), when if there is a session for the users IP address that was created in a different domain.  If so, use that session.
The problem with this is if there are multiple users that share the same public IP address, you won't be able to distinguish them, and may give the user the wrong session.
0
 

Author Comment

by:suzywal
ID: 33729381
Thank you for your post, it got me thinking, perhaps misguided thinking…

Lets say that we are limiting this to two 2nd level domains:

Can one artificially create two cookies upon login for both domains…

 

Such as on a page used as a “control panel”: login once there and it could bring in pieces of each site in  … to give the user a high-level quick-look … etc …
0
Webinar: Aligning, Automating, Winning

Join Dan Russo, Senior Manager of Operations Intelligence, for an in-depth discussion on how Dealertrack, leading provider of integrated digital solutions for the automotive industry, transformed their DevOps processes to increase collaboration and move with greater velocity.

 
LVL 39

Expert Comment

by:Adam314
ID: 33730486
I don't believe that a browser will accept a cookie from one domain for another - this would create a possible security hole.
0
 

Author Comment

by:suzywal
ID: 33746953
Please debunk the following bad idea / contradict it with thoughts of alternative solutions please…

 

what about having browsers/windows (child) within another (parent) browser? (not necessairly visible)

 

For example: a.com has would somehow have (b.com, c.com) inside of it... therby generating the cookies?

 

In any case, the original directive was to redirect all login attempts (from any domain/page) to a centralized area providing a 'control panel' ... could this or alternative concepts be adapted to solve both; the control panel idea and the multiple cookie issue?
0
 
LVL 39

Accepted Solution

by:
Adam314 earned 500 total points
ID: 33750629
You could do this using a variation of suggestion 1 in my first post.

When someone goes to a site, if they do not have a session, redirect them to the login site.
From the login site, once someone logs in, create a session, and give them a page with an iframe for each other site, passing the session id.

For example:
main login site is main-login-site.com.
User goes to site-a.com, and is not logged in.  They are redirected to main-login-site.com.
User logs in.  If successful, a session is created, and they are given a page with:
<iframe src="site-a.com/login.cgi?session=$session" width="1" height="1"/>
<iframe src="site-b.com/login.cgi?session=$session" width="1" height="1" />
.... and so on for all sites

Then the login.cgi page on all the other sites will get the session ID from the QUERY_STRING, and create a session cookie.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article will inform Clients about common and important expectations from the freelancers (Experts) who are looking at your Gig.
FAQ pages provide a simple way for you to supply and for customers to find answers to the most common questions about your company. Here are six reasons why your company website should have a FAQ page
Viewers will get an overview of the benefits and risks of using Bitcoin to accept payments. What Bitcoin is: Legality: Risks: Benefits: Which businesses are best suited?: Other things you should know: How to get started:
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.

839 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question