David_zu
asked on
Implement Single Sign On (SSO) for ASP.NET Web Portal
Hi Expert,
I recently deployed three web portals and these three web portals required Single Sign On (SSO). Three portals are under same domain (eg. abc.com). I did some research, and found I can simply use same machineKey to enable SSO for same domain. However, I am still not successful.
Portal 1 : www.abc.com/API
Portal 1 is using WCF. It includes login API. When the API is called, it will encrypt an authentication ticket to cookie and send to user.
I also configured Web.config machineKey node to support SSO
Portal 2 : www.abc.com/Main
Portal 2 is a JavaScript portal. It integrated with portal 1 and called portal 1 Login before using other API.
Portal 3 : www.abc.com/Report
Portal 3 is an Asp.Net portal. Only authenticated users will grant the page access.
Here is the web.config file.
I generated machineKey from http://www.developerfusion .com/tools /generatem achinekey/
I recently deployed three web portals and these three web portals required Single Sign On (SSO). Three portals are under same domain (eg. abc.com). I did some research, and found I can simply use same machineKey to enable SSO for same domain. However, I am still not successful.
Portal 1 : www.abc.com/API
Portal 1 is using WCF. It includes login API. When the API is called, it will encrypt an authentication ticket to cookie and send to user.
/******* Add FormAuthentication Cookies *******/
FormsAuthenticationTicket ticket = new FormsAuthenticationTicket(1, loginId, DateTime.Now, DateTime.Now.AddMinutes(HttpContext.Current.Session.Timeout), true, "");
string cookiestr = FormsAuthentication.Encrypt(ticket);
HttpCookie ck = new HttpCookie(FormsAuthentication.FormsCookieName, cookiestr);
ck.Expires = ticket.Expiration;
ck.Path = FormsAuthentication.FormsCookiePath;
HttpContext.Current.Response.Cookies.Add(ck);
/* * * * * * * * * * * */
I also configured Web.config machineKey node to support SSO
<system.web>
<!--
Set compilation debug="true" to insert debugging
symbols into the compiled page. Because this
affects performance, set this value to true only
during development.
-->
<machineKey
validationKey="D4972954E80140E6A40C0F645B45DF7EB74007CFE7E1A213FB5D825D8480A8BE5C8F88A758809EB754F0677E62B70E77F02856F51B69165CDA20856893FC03F6"
decryptionKey="14268E31D8356AB7A70EE0D6E6DB0ACA6D4ADBC7BB08C260580C33DA6383AB7A"
validation="SHA1" decryption="AES"
/>
<compilation debug="true" targetFramework="4.0"/>
<!--
The <authentication> section enables configuration
of the security authentication mode used by
ASP.NET to identify an incoming user.
-->
<authentication mode="Forms">
<forms cookieless="UseCookies" loginUrl="LoginService.svc" slidingExpiration="true" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
</system.web>
<location path="LoginService.svc">
<system.web>
<authorization>
<allow users="*"/>
</authorization>
</system.web>
</location>
Portal 2 : www.abc.com/Main
Portal 2 is a JavaScript portal. It integrated with portal 1 and called portal 1 Login before using other API.
Portal 3 : www.abc.com/Report
Portal 3 is an Asp.Net portal. Only authenticated users will grant the page access.
Here is the web.config file.
<system.web>
<machineKey
validationKey="D4972954E80140E6A40C0F645B45DF7EB74007CFE7E1A213FB5D825D8480A8BE5C8F88A758809EB754F0677E62B70E77F02856F51B69165CDA20856893FC03F6"
decryptionKey="14268E31D8356AB7A70EE0D6E6DB0ACA6D4ADBC7BB08C260580C33DA6383AB7A"
validation="SHA1" decryption="AES"
/>
<authentication mode="Forms">
<forms cookieless="UseCookies" slidingExpiration="true" loginUrl="http://www.abc.com/Main/index.html" />
</authentication>
<authorization>
<deny users="?"/>
</authorization>
I generated machineKey from http://www.developerfusion
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
That's specifically for windows home server. Did you set that up and do you have the login page?
https://msdn.microsoft.com/en-us/library/bb425862.aspx
Essentially they are letting the windows home server do the login page for you, and then you can redirect back to your app.
https://msdn.microsoft.com/en-us/library/bb425862.aspx
Essentially they are letting the windows home server do the login page for you, and then you can redirect back to your app.
ASKER
Yes. I agree this is not really relevant to my case. I just got some idea from the post. I test the portal 3, I cannot retrieve the cookie saved by portal 1. Is it because the path of cookies between portal 1 and portal 3 are different?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks. I referenced your link and made some changes of my config. It is working fine now. I just changed the web.config file.
The important part of "name" is it shall start with ".", and same as domain, shall start as ".", "enableCrossAppRedirects" is another important property.
Thank you again for your kindly help.
<authentication mode="Forms">
<forms name=".ABCSSO" cookieless="UseCookies" slidingExpiration="true" loginUrl="http://www.abc.com/Main/index.html" domain=".www.abc.com" enableCrossAppRedirects="true"/>
</authentication>
The important part of "name" is it shall start with ".", and same as domain, shall start as ".", "enableCrossAppRedirects" is another important property.
Thank you again for your kindly help.
ASKER
I fully agree ADFS is a good option. I will definitely study it for project in the future.
ASKER
The way I am trying to implement follow the Microsoft KB https://msdn.microsoft.com/en-us/library/dd577079.aspx. However, it doesn't work. I am not sure if anyone can figure out the issue for me.
Thank you.