14

I have an already built Asp.Net application which is using Asp.Net membership provider.

There is a client web application which has its own login. Once logged in, the user gets some links. These links are directed to the application I have developed. Currently since these are two different applications hosted in two domains, there are two time login required.

What I am trying to achieve is have SSO and not have to login when the user is already logged in the client application. I have read through and seems its possible to have this done via a STS provider like ThinkTecture IdentityServer and utlising ADFS at our end.

Is this the best approach and if yes, I couldn't find much of documentation with respect to what are the updates I need to ask from the main application team to have it SSO enabled.

Chinjoo
  • 2,697
  • 6
  • 28
  • 45
  • Are you using Forms Authentication? Are you using Identity? To clarify, you say client app performs logins... I assume you means something like a browser or mobile app? Does that mean that client sends credentials to server and gets authenticated, or do you mean a service you server process uses to authenticate? – Dave Alperovich Aug 27 '15 at 15:45
  • What do you have (source) control on? the web app? the client app? both? Can you pass "something" to the client app to the web app so that the web app will be able to authenticate from that? – Simon Mourier Aug 28 '15 at 06:47
  • Ok, to be more clear, There is a site www.MainWebApp.com which is hosted by Party A. This site has a login which is doing authentication against DB hosted by Party A. After login they get a page with a link which points to www.mywebapp.com/home/index this is the site we are hosting at our end with DB also hosted at our end. At present, this link will show a Login page, which I want to remove and have the Party A send some info along with the link to get authorized. – Chinjoo Aug 31 '15 at 07:04
  • 1
    It's possible to set up a Service Provider alongside a web app. The web app would redirect users to an Identity Provider for authentication. After successful auth, a user would then arrive at the web app with the necessary information required to be authenticated by your DB. I would check out https://shibboleth.net/about/basic.html – 0x736a64 Sep 10 '15 at 02:12
  • I achieved the solution with following the link for Multiple ADFS integration using OWIN - http://www.dotnetcurry.com/windows-azure/1166/aspnet-mvc-multiple-adfs-owin-katana – Chinjoo Dec 07 '15 at 07:14

4 Answers4

7

That might be possible with STS Provider or ADFS. What I would suggest is to have a web application only for authentication where in when user clicks on login on main website, you can redirect to authentication application, authenticates and create a token and then redirect back to main application along with token. Later, you can call any applications along with this token and check if user has permission to access this application or not. Token contains information such as authenticated user, permission, etc. I suppose you need to create custom http module to implement this.

If all applications are under one domain, it can be achieved by cookies.

Matt
  • 74,352
  • 26
  • 153
  • 180
Vishal
  • 127
  • 9
  • The concept here is the main application is not maintained by us and hence it should be minimal change in there and its on different domain. – Chinjoo Aug 18 '15 at 17:38
1

I believe the easiest way is using Azure Active Directory to do that. Here's a few articles/information about that:

http://www.dotnetcurry.com/windows-azure/1123/secure-aspnet-mvc-azure-using-active-directory-signon

http://azure.microsoft.com/en-us/documentation/videos/overview-of-single-sign-on/

Thiago Custodio
  • 17,332
  • 6
  • 45
  • 90
  • The initial login is not carried out by our system. Hence we don't have the control over Token issuer. – Chinjoo Aug 18 '15 at 17:40
0

I believe the best approach would be to host an Identity Provider like ADFS or ThinkTecture somewhere else and then make both the Main application and your application a relying party of this Identity Provider.

Both applications would need to be changed to support the WS-Federation protocol (which asp.net already has a HTTP module for supporting it).

Have a read of this https://msdn.microsoft.com/en-gb/library/bb498017.aspx

Then also check out this blog http://chris.59north.com/post/Configuring-an-ASPNET-site-to-use-WS-Federation

DanL
  • 1,974
  • 14
  • 13
  • Do you have any reference for samples to check this out? – Chinjoo Sep 11 '15 at 03:50
  • Microsoft has a walkthrough here: https://msdn.microsoft.com/en-us/library/hh291061.aspx. Just repeat the steps twice so you have two sites and put a link on one of them to the other. – DanL Sep 11 '15 at 07:12
0

How about mimicking the SSO concept?

  • On click of the link provided in Party A's website generate a token with a Timestamp.
  • Upload it in your DB through Services
  • Encrypt the token using RSA with additional parameters both agree upon
  • Redirect to your URL with this encrypted parameter converted to base64
  • Decrypt on your side and check for the token in your website and then allow to your website.
  • Write a logic for the token to be defunct in a specified time.
CodeTantric
  • 120
  • 1
  • 12