Re: Using Single Sign On in Multiple Applications Sharing Same Domain

vmanzu_1977 — Thu, 11 Sep 2008 08:17:31 GMT

Thanks for the nice article . I have these questions

1) Will this work if the two sites are on different boxes?

2) Will it work behind a NLB ?

Thanks ,

Manjunatha

Re: Using Single Sign On in Multiple Applications Sharing Same Domain

chirag_darji — Thu, 05 Apr 2007 11:10:42 GMT

HI,

Thanks for your artcle. There some some more information abt single sign on http://chiragrdarji.wordpress.com

Hope you like it.

Using Single Sign On in Multiple Applications Sharing Same Domain

usmaniac4life — Wed, 06 Sep 2006 10:08:42 GMT

Using Forms Authentication

Forms Authentication should be used for Single sign on into Multiple Applications.

<authentication mode="Forms">
        <forms name=".Website" loginUrl="login.aspx" protection="All" timeout="30" path="/"/>
      </authentication>

where ".Website" is the name of the Cookie used to store user credentials for form authentication

Modifying the Machine Key

The machineKey element might be configured in the machine.config file or on every web.config application file sharing the Same Cookie. By Default the encryption key to encrypt cookie data is set to something like this in the machine.config file:

<machineKey
validationKey="AutoGenerate,IsolateApps"
decryptionKey= "AutoGenerate,IsolateApps"
validation="SHA1"/>

The "IsolateApps" means that a different key will be AutoGenerated for each application. This setting can be overridden by writing the following code in the Application's Web.config file:

<machineKey
    validationKey= "C50B3C89CB21F4F1422FF158A5B42D0E8DB8CB5CDA1742572A487D9401E3400267682B202B746511891C1BAF47F8D25C07F6C39A104696DB51F17C529AD3CABE"
    decryptionKey= "8A9BE8FD67AF6979E7D20198CFEA50DD3D3799C77AF2B72F"
    validation="SHA1"/>

The Machine key should be the same for all the applications sharing the same cookie (Using SSO).

Creating Domain Level Cookie to share same information between Applications

Here, we are using two domains:
http://secure.website.net and
http://www.website.net

The cookies will be stored in different files and will not be accessible to both applications. In order to make it work, we will need to create domain-level cookies that are visible to all sub-domains:

Dim fat As FormsAuthenticationTicket = New FormsAuthenticationTicket(1, Login1.UserName, DateTime.Now, DateTime.Now.AddYears(1), False, "")
        Dim cookie As HttpCookie = New HttpCookie(".Web20Tools")
        cookie.Value = FormsAuthentication.Encrypt(fat)
        cookie.Expires = fat.Expiration
        cookie.Domain = ".website.net"
        Response.Cookies.Add(cookie)

Here, "cookie.Domain" specifies the name of the domain by which the cookie would be created. Hence if the Windows user has logged in with the account name as "Admin", the cookie would be created by the name:
Admin@website.net

The Data Of Expiry is exactly one year after the date of creation. The ticket name would be the same as the user name. So this can be decrypted on the other applications page Load when the request is redirected to another application.

The cookie is encrypted and then added to the response stream. This cookie can now be shared by any application sharing the same subdomain name

Note: For Domain wide authentication scenarios, you can set domain-wide cookie only for second level domain, or for third level domain if second level domain contains three or less characters. It means that you cannot set cookie for domain "com" or "co.in", but can for "example.com" or "example.co.in".

Simulation of the Live Site

Now to simulate the setup of the live sites, we need to add entries into the Hosts file, which is present at:
C:/WINDOWS/SYSTEM32/DRIVERS/ETC       (Windows XP)
C:/WINNT/SYSTEM32/DRIVERS/ETC       (Windows 2000, NT)

The entries would be as follows:

127.0.0.1 www.website.net
127.0.0.1 secure.website.net

This would help emulate the site on local server so that the cookies can be shared. The applications can be accessed after creating their virtual directories:

http://www.website.net/website/default.aspx
http://secure.website.net/shoppingcart/default.aspx

Now to check whether the cookie has been created or not, the cookie created can be found at:
C:\Documents and Settings\Default User\Local Settings\Temporary Internet Files\

where "Default user" will be the name of the user who has logged in.

An alternative method to check the cookie creation is to go to the Internet Explorer's Tools Menu -> Internet Options -> Click on Privacy Tab -> Click Advanced Button .
select "Override Automatic Cookie Handling" and then select the radio buttons for "First Party Cookies" and "Third Party Cookies" as "Prompt".

Doing this will enable prompting before cookie creation where the cookie name and the date of expiry can be tracked.

Logging Out of the Application

While Logging out of the application, the Expiration date of the Cookie should be set to a past date for the cookie to get deleted. The cookie should be fetched first using the httpcontext class and then the expiry date should be changed.

Dim httpWebcookie As HttpCookie
        httpWebcookie = Request.Cookies(".Website")
        httpWebcookie.Domain = ".website.net"
        httpWebcookie.Expires = DateTime.Now.AddYears(-3)
        Response.Cookies.Add(httpWebcookie)

Hope that this Article proves to be Useful for you guys.

Regards,

Usman Suglatwala.

Security

Re: Using Single Sign On in Multiple Applications Sharing Same Domain

Re: Using Single Sign On in Multiple Applications Sharing Same Domain

Using Single Sign On in Multiple Applications Sharing Same Domain