Solved

What options exist for Single Sign-On and ASP.NET 4.0?

Posted on 2011-03-04
5
362 Views
Last Modified: 2012-05-11
I have an MVC3 and Dynamic Data website that need a single sign on.

1) Can I use Windows Authentication? If so, how?
2) I am not too interested in using MS Passport
3) What other methods exist?
4) What kind of home grown solutions might there be?

Thanks,
newbieweb
0
Comment
Question by:newbieweb
  • 3
  • 2
5 Comments
 

Author Comment

by:newbieweb
ID: 35039926
5) Shared memory?
0
 

Author Comment

by:newbieweb
ID: 35040172
6) Shared Cookies?
0
 
LVL 33

Assisted Solution

by:Todd Gerbert
Todd Gerbert earned 500 total points
ID: 35041375
1) Yes, but there are some caveats so it may not make sense in your environment.  It's probably most useful in a corporate intranet environment, where all web sites, users and computers are in the same domain (or forrest).  If all the client computers are using Internet Explorer, and the option to logon automatically for the applicable zone (or enforced with Group Policy), then you can use the WindowsTokenRoleProvider along with the built-in ASP.Net authentication and authorization mechanisms (http://msdn.microsoft.com/en-us/library/system.web.security.windowstokenroleprovider.aspx, http://msdn.microsoft.com/en-us/library/ff647401.aspx).  This achieves the effect of SSO since an interactive login is never seen, users are sliently logged into websites with whatever credentials they used to log onto their workstation.  I'm relatively certain that any browser other than IE won't behave this way.

2) Okie doke.

3) This article outlines a good alternative: http://aspalliance.com/1513_Cross_Site_Authentication_and_Data_Transfer.all

4) I'm not sure, but it may be possible for more than one site to use the SqlRoleProvider and share the same backing database.  When going from site 1 to site 2, you can pass a base64/Url-encoded encrypted string containing the user's name & password as a QueryString parameter which the landing page in site 2 can retrieve and use to attempt to login.  Or put the encrypted string in a <input type="hidden"> field on a form in site 1 that posts back to the landing page in site 2 (so the user won't see it on the URL).

6) I'm not sure how or if that would work - I was under the impression that sites are only able to retrieve their own cookies, which would present a problem for cross-site authentication.  I'm a little foggy on those details though, so I better leave that for someone else more knowledgeable on the topic to elaborate.
0
 
LVL 33

Accepted Solution

by:
Todd Gerbert earned 500 total points
ID: 35041483
Another option: Forms Authentication Across Applications, http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
0
 

Author Closing Comment

by:newbieweb
ID: 35056613
Forms Authentication Across Applications seems just right. Thanks :)
0

Featured Post

How our DevOps Teams Maximize Uptime

Our Dev teams are like yours. They’re continually cranking out code for new features/bugs fixes, testing, deploying, responding to production monitoring events and more. It’s complex. So, we thought you’d like to see what’s working for us. Read the use case whitepaper.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article is for Object-Oriented Programming (OOP) beginners. An Interface contains declarations of events, indexers, methods and/or properties. Any class which implements the Interface should provide the concrete implementation for each Inter…
The article shows the basic steps of integrating an HTML theme template into an ASP.NET MVC project
I've attached the XLSM Excel spreadsheet I used in the video and also text files containing the macros used below. https://filedb.experts-exchange.com/incoming/2017/03_w12/1151775/Permutations.txt https://filedb.experts-exchange.com/incoming/201…

807 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question