Implement Single Sign On (SSO) for ASP.NET Web Portal

Hi Expert,

I recently deployed three web portals and these three web portals required Single Sign On (SSO). Three portals are under same domain (eg. abc.com). I did some research, and found I can simply use same machineKey to enable SSO for same domain. However, I am still not successful.

Portal 1 : www.abc.com/API
Portal 1 is using WCF. It includes login API. When the API is called, it will encrypt an authentication ticket to cookie and send to user.

 /******* Add FormAuthentication Cookies *******/
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, loginId, DateTime.Now, DateTime.Now.AddMinutes(HttpContext.Current.Session.Timeout), true, "");
string cookiestr = FormsAuthentication.Encrypt(ticket);
HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
ck.Expires = ticket.Expiration;
ck.Path = FormsAuthentication.FormsCookiePath;
HttpContext.Current.Response.Cookies.Add(ck);
/* * * * * * * * * * * */

Open in new window


I also configured Web.config machineKey node to support SSO
  <system.web>
    <!--
            Set compilation debug="true" to insert debugging 
            symbols into the compiled page. Because this 
            affects performance, set this value to true only 
            during development.
        -->
<machineKey 
  validationKey="D4972954E80140E6A40C0F645B45DF7EB74007CFE7E1A213FB5D825D8480A8BE5C8F88A758809EB754F0677E62B70E77F02856F51B69165CDA20856893FC03F6"
  decryptionKey="14268E31D8356AB7A70EE0D6E6DB0ACA6D4ADBC7BB08C260580C33DA6383AB7A"
  validation="SHA1" decryption="AES"

/>
    
    <compilation debug="true" targetFramework="4.0"/>
    <!--
            The <authentication> section enables configuration 
            of the security authentication mode used by 
            ASP.NET to identify an incoming user. 
        -->
    <authentication mode="Forms">
      <forms cookieless="UseCookies" loginUrl="LoginService.svc" slidingExpiration="true" />
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>
</system.web>
  <location path="LoginService.svc">
    <system.web>
      <authorization>
        <allow users="*"/>
      </authorization>
    </system.web>
  </location>

Open in new window


Portal 2 : www.abc.com/Main
Portal 2 is a JavaScript portal. It integrated with portal 1 and called portal 1 Login before using other API.

Portal 3 : www.abc.com/Report
Portal 3 is an Asp.Net portal. Only authenticated users will grant the page access.
Here is the web.config file.
  <system.web>
<machineKey 
  validationKey="D4972954E80140E6A40C0F645B45DF7EB74007CFE7E1A213FB5D825D8480A8BE5C8F88A758809EB754F0677E62B70E77F02856F51B69165CDA20856893FC03F6"
  decryptionKey="14268E31D8356AB7A70EE0D6E6DB0ACA6D4ADBC7BB08C260580C33DA6383AB7A"
  validation="SHA1" decryption="AES"

/>
    <authentication mode="Forms">
      <forms cookieless="UseCookies" slidingExpiration="true" loginUrl="http://www.abc.com/Main/index.html" />
    </authentication>
    <authorization>
      <deny users="?"/>
    </authorization>

Open in new window


I generated machineKey from http://www.developerfusion.com/tools/generatemachinekey/
LVL 1
David_zuAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Kyle AbrahamsSenior .Net DeveloperCommented:
I used ADFS (Active Directory Foundation Services) as well as WIF (Windows Identity Foundation) to accomplish single sign on.  It's a robust system that handles the security for you, and can handle both internal and external access.
David_zuAuthor Commented:
Thanks for your info Kyle, I just want to keep the infrastructure as simple as possible. The portal 1 is designed and maintained by another vendor. So it is hard for me to change the whole authentication framework.

The way I am trying to implement follow the Microsoft KB https://msdn.microsoft.com/en-us/library/dd577079.aspx. However, it doesn't work. I am not sure if anyone can figure out the issue for me.

Thank you.
Kyle AbrahamsSenior .Net DeveloperCommented:
That's specifically for windows home server.  Did you set that up and do you have the login page?

https://msdn.microsoft.com/en-us/library/bb425862.aspx

Essentially they are letting the windows home server do the login page for you, and then you can redirect back to your app.
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

David_zuAuthor Commented:
Yes. I agree this is not really relevant to my case. I just got some idea from the post. I test the portal 3, I cannot retrieve the cookie saved by portal 1. Is it because the path of cookies between portal 1 and portal 3 are different?
Kyle AbrahamsSenior .Net DeveloperCommented:
from: http://www.codeproject.com/Tips/438319/Sharing-Authentication-Cookie-between-two-ASP-NET

try enabling enableCrossAppRedirects:

<authentication mode="Forms">
  <forms name="FormsAuthentication" path="/" loginUrl="Login.aspx"
     defaultUrl="Home.aspx" timeout="1000" cookieless="UseCookies"  
     enableCrossAppRedirects ="true" domain="10.12.88.81"
     requireSSL="false"/>
</authentication>

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
David_zuAuthor Commented:
Thanks. I referenced your link and made some changes of my config. It is working fine now. I just changed the web.config file.

    <authentication mode="Forms">
      <forms name=".ABCSSO" cookieless="UseCookies" slidingExpiration="true" loginUrl="http://www.abc.com/Main/index.html" domain=".www.abc.com" enableCrossAppRedirects="true"/>
    </authentication>

Open in new window


The important part of "name" is it shall start with ".", and same as domain, shall start as ".", "enableCrossAppRedirects" is another important property.

Thank you again for your kindly help.
David_zuAuthor Commented:
I fully agree ADFS is a good option. I will definitely study it for project in the future.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.