Penyu IT World's: Single Sign On (SSO)

ASP.NET Forms Authentication allow to share the same cookie across sites under same domain using configuration key <machineKey>

<machineKey 
  validationKey="21F090935F6E49C2C797F69BBAAD8402ABD2EE0B667A8B44EA7DD4374267A75D" 
  decryptionKey="ABAA84D7EC4BB56D75D217CECFFB9628809BDB8BF91CFCD64568A145BE59719F"
  validation="SHA1" decryption="AES"/>

Why need <machineKey>, because each ASP.NET web application use it own encryption keys for cookie data and others e.g. ViewState for security purpose. So if the same <machineKey>, across all applications under same domain, each will able to read cookie values.

After that, you need to instruct ASP.NET runtime to define the cookie so it can match with the domain name.

<forms name="name" loginUrl="URL" defaultUrl="URL" domain="mydomain.com"/>

ASP.NET is not able to share cookie across different domain.
_______________________________________________________________________________

Work Around (1)

1)User request domain1.com, no authentication cookie, redirect to domain1.com/login.
2) Login
3) domain1.com accept the login credential, verify from database. and Create authentication cookie and add to the response
4) Response set ReturnURL to domain2.com.
5) domain2.com accept the response with cookie and store in browser.
6) domain2.com redirect to the ReturnURL address (domain1.com) with reading the cookie value.
7) domain1.com accept the response with cookie and store in browser.

So both domain1.com and domain2.com authenicaton cookie are stored in the browser.

Problem : You need to implement for all the sites (costly and complex). Not recommend for domain more than 2

_______________________________________________________________________________

Work Around (2)

Browser will not store authentication cookies for each site. It will store an authentication cookie for only in a site (sso.com). Every request to any site will redirect to sso.com for setting and checking authentication cookie. If not found, the user redirected to the login page.

1) User request domain1.com, redirect to sso.com to check cookie, with adding a ReturnURL query string paramater to back domain1.com.
2) If no cookie, request to domain1.com with query string has indicate the cookie not found and redirect to domain1.com/login
3) Login in domain1.com/login and invoke web service of sso.com to check user credentials, and return Token.
4) domain1.com mark the user as logged in, redirect to sso.com with Token to set authentication cookie, with ReturnUrl (domain1.com)

https://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic
https://www.codeproject.com/Articles/114484/Single-Sign-On-SSO-for-cross-domain-ASP-NET-appl#_articleTop

Penyu IT World's

Tuesday, August 1, 2017

Single Sign On (SSO)

No comments:

Post a Comment