Thursday, November 26, 2009

Single Sign-On for everyone SSO

Single Sign-On (SSO) is a very brand topic now a days. most of the application are running under different subdomain as well as different .net framworks also.in which ones the user logs in it will stay logged still user switch to various web site or different domain. SSO will help you in this
case now lets see how how to build it.

- SSO for different domain.
suppose we have two different application - http://Foo.com and http://Bar.com. now ones the user get login successfully we need to redirect that user to bar.com site for next process . in this case they cant share cookies and session . so for this case we need to create its own cookies and call it on other side to veridy its a right user.to achieve this we need to create a special page (sso.aspx) on both the site m and check the cookies exits or not and flow the process.on sso.aspx page you need to do some code like this


void Page_Load()
{
UriBuilder uri = new UriBuilder(Request.UrlReferrer);
HttpCookie hcok = HttpContext.Current.Request.Cookies[".BarAuth"];
if (hcok != null && hcok.HasKeys) //chk cookies exits
{
string cookie = HttpContext.Current.Server.UrlDecode(hcok.Value);

FormsAuthenticationTicket fatick = FormsAuthentication.Decrypt(cookie);

uri.Query = uri.Query + "&ssoauth=" + fatick.Name; //add login name in query.

}
Response.Redirect(uri.ToString());
}


now if authentication cookies are exits on bar.com, it will decrypt user name and pass name back to the ssoauth. on http://foo.com site we need to add some code on http request for processing pipeline, it will be Application_BeginRequest event or HttpHandler event.

if - authentication cookie exists on Foo.com, continue processing the request
- uthentication cookie doesn’t exist, redirect to Bar.com/sso.aspx.


- if applications run under different versions of .NET
its possible that foo and bar application are running on different version of .net .in such case above application will not work beacuase .net 2.0 encryption is different its AES. or in .net1.1 it was 3DES.on .net 2.0 new attribute get added for backwords application


< machineKey validationKey="F789KJSER82ERKJ4KJ23KH42KJH444JHG234K4KJB23"
decryptionKey="j234GF23HG2432347ASD7ASDHJA6ASD6HH27374743432" validation="SHA1" decryption="3DES" / >


you need to just set decryption="3DES" .to run old application.dont add this on web.config of .net 1.1 it will gives Error.

- mixed-mode authentication (Forms and windows)
long time back we dealt with only form authentication, but now we can user window authentication also. basically we use form auth for check the user form auth . if the user is reside in Intranet then we can use window auth on NT doamin,

Requset.ServerVatiables["LOGON_USER"]

in this we can also set Anonymouse access disable from IIS panel . now LOGON_USER contain NT domain name of the logges on Intranet, but all the other user (internet) get ready for window auth then we can check login via Form auth and if it get fail m move them to Window domain, you can also solve this problem by haveing a special entry page for Intranet users that has Integrate Windows Authentication enabled, validates the domain user, creates a Forms cookie and redirects to the main web site.

one more easy way is , if ananymous access is enable for web site, IIS get pass request through asp.net runtime process . if result is Error(404 - page not found) then IIS will attempt other method for that site. you just enable both the access for same look at below code


if(System.Web.HttpContext.Current.Request.ServerVariables["LOGON_USER"] == "")
{
System.Web.HttpContext.Current.Response.StatusCode = 401;
System.Web.HttpContext.Current.Response.End();
}
else
{
// move to valid domain
}


in the above code , it will first check if the domain user get empty string .It will terminate the request and return the 401 IIS error , in this case if your is already logg in domian , the request will repeated .and if not then he will go through the window auth for upto 3 times , and still he can't pass that 3 attempt the he/she will ge the Error as 4.0 (which is Access Denied )

There are few more ways for SSO in .net application . its also possible to implement this process in Different platform aslo , actual idea will become same but may be implementation get change according to platform.

Thank you , if you like this plz add some comments.

1 comment: