What options exist for Single Sign-On and ASP.NET 4.0?

I have an MVC3 and Dynamic Data website that need a single sign on.

1) Can I use Windows Authentication? If so, how?
2) I am not too interested in using MS Passport
3) What other methods exist?
4) What kind of home grown solutions might there be?

newbiewebSr. Software EngineerAsked:
Who is Participating?
Todd GerbertConnect With a Mentor IT ConsultantCommented:
Another option: Forms Authentication Across Applications, http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx
newbiewebSr. Software EngineerAuthor Commented:
5) Shared memory?
newbiewebSr. Software EngineerAuthor Commented:
6) Shared Cookies?
Todd GerbertConnect With a Mentor IT ConsultantCommented:
1) Yes, but there are some caveats so it may not make sense in your environment.  It's probably most useful in a corporate intranet environment, where all web sites, users and computers are in the same domain (or forrest).  If all the client computers are using Internet Explorer, and the option to logon automatically for the applicable zone (or enforced with Group Policy), then you can use the WindowsTokenRoleProvider along with the built-in ASP.Net authentication and authorization mechanisms (http://msdn.microsoft.com/en-us/library/system.web.security.windowstokenroleprovider.aspx, http://msdn.microsoft.com/en-us/library/ff647401.aspx).  This achieves the effect of SSO since an interactive login is never seen, users are sliently logged into websites with whatever credentials they used to log onto their workstation.  I'm relatively certain that any browser other than IE won't behave this way.

2) Okie doke.

3) This article outlines a good alternative: http://aspalliance.com/1513_Cross_Site_Authentication_and_Data_Transfer.all

4) I'm not sure, but it may be possible for more than one site to use the SqlRoleProvider and share the same backing database.  When going from site 1 to site 2, you can pass a base64/Url-encoded encrypted string containing the user's name & password as a QueryString parameter which the landing page in site 2 can retrieve and use to attempt to login.  Or put the encrypted string in a <input type="hidden"> field on a form in site 1 that posts back to the landing page in site 2 (so the user won't see it on the URL).

6) I'm not sure how or if that would work - I was under the impression that sites are only able to retrieve their own cookies, which would present a problem for cross-site authentication.  I'm a little foggy on those details though, so I better leave that for someone else more knowledgeable on the topic to elaborate.
newbiewebSr. Software EngineerAuthor Commented:
Forms Authentication Across Applications seems just right. Thanks :)
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.