Last post Jul 26, 2013 12:42 PM by mthakershi
Jul 25, 2013 09:19 PM|mthakershi|LINK
My web application is ASPX / JS / SQL Server that runs on .NET 3.5. It has standard forms based authentication with users stored in databse.
There is another application (call it parent application) that is in different domain / vendor. They want to put our application as in iframe in their portal.
However, the parent application wants setup such that login is bypassed in my application when launched from user that is authenticated in parent application.
How to do that with simple but secure manner? Is there a way that I can code a web service that authenticates their user when click on my application in parent application and redirect them as if they logged into my site?
Any help or guidance is appreciated.
Jul 25, 2013 09:30 PM|BrockAllen|LINK
Either the child app needs the parent to send it a token that it can verify and trust to know the identity of the user (this is security plumbing that you need to be careful implementing), or you need to move to a SSO architecture for the two applciations
and use well-established approaches (such as WS-Federation, for example).
Jul 25, 2013 11:31 PM|mthakershi|LINK
Thanks for response. What would be the design of token-based approach look like? Is there a standard way of generating this token (static or dynamic)? Please sight any example if you have.
Jul 26, 2013 09:27 AM|BrockAllen|LINK
I'd use a JWT:
You need to sign it at the parent app level and validate it at the child app level. Also, I'd make sure the token lifetime were very short (< 1 minute).
Again, tread light here -- you're writing security code here and you need to make sure you check all the attack vectors on your implementation. This is not easy code.
Jul 26, 2013 12:42 PM|mthakershi|LINK
Thank you for valuable information. I will go through this package.
Is it possible to achieve a secure solution using a custom key? e.g. Only my organization knows the private key. Then I manipulate a GUID with combination of private and public key. Then provide this output to the parent application team. They will pass
my application this value and I will validate it in server code. I may also check if this request is coming from a particular URL and let it go through only if right.