[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 671
  • Last Modified:

ASP.net single sign on

I am trying to have a single sign on work between different domains (i.e. www.abc.com and www.fff.com)

What I have tried to do so far is this.

On abc.com, I have a hidden iframe.  Once I log in and am forms authenticated on abc.com, I execute this line of code to "auto login" on fff.com (of course I would encrypt all data passed back and forth):

hologinframe.Attributes["src"] = "http:/www.fff.com/site1/autologin.aspx?encryptedparams=xxxxx";

The autologin.aspx page does this on pageload:

   FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, "username", DateTime.Now, DateTime.Now.AddMinutes(60), true, "");

        // Get the encrypted version of the ticket
        string strEncrypted = FormsAuthentication.Encrypt(ticket);

        // Put it into a cookie
        HttpCookie hc = new HttpCookie(FormsAuthentication.FormsCookieName, strEncrypted);
        hc.Expires = DateTime.Now.AddHours(12);

        Response.Cookies.Add(hc); // Add it to the cookies collection                                                      

        Response.Redirect(FormsAuthentication.GetRedirectUrl("username", true));

The odd thing that I am finding is that this works on IE, but does not on FF or Chrome.

The only way I could get the autologin to the fff.com site working on FF or Chrome is if I set the frame.src in the pageload of the login page of abc.com instead of the login_LoggedIn function.

Any help to get this working on in all browsers in the login_LoggedIn function?
  • 2
1 Solution
Gary DavisDir Internet SvcsCommented:
Verify your cookies are not being blocked - they may be consicered 3rd-party and depending on browser privacy settings, may be blocked. Use Firebug to view the Http net traffic and cookies sent by the browser.

Usually it is IE that is the problem but apparently not in this case.

Gary Davis
MikeCausiAuthor Commented:
Doesn't seem to be blocking the cookies.

I did test something different, however.  Instead of trying to access the logged_in event of the asp.net login control, I tried a regular button click on the abc.com website to auto login to the fff.com site.  This time it worked.  Something about the login control events is not letting the setting of the frame src work.
This doesn't yet resolve my problem since I want to use the built in asp.net login control.
I think FF and Chrome block cookies which are made inside an (invisible) iframe. The element needs to be visible for the cookie to be created. What we did is that the page on the second host generates an image (this just can be a 1x1pixel image). If you show that somewhere on the page the cookies should be created.
MikeCausiAuthor Commented:
Going to come back to this another time, but your solution seems reasonable.

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now