开发者

Using sso for asp.net projects without external registration

开发者 https://www.devze.com 2023-04-01 07:04 出处:网络
I have two asp.net开发者_C百科 projects at the different domains. These projects use one database.

I have two asp.net开发者_C百科 projects at the different domains. These projects use one database. Let say www.test1.com and www.test2.com. (Late will be more projects)

I already have registration form and registered users.

Now I need to implement SSO possibility without registration at the external sites (google, openId, facebook).

All implementation which I have found required external registration (CAS, Federation, Facebook, openId).

Also I have read this article http://www.codeproject.com/KB/aspnet/CrossDomainSSOExample.aspx, but as far as I understood from comments such solution very insecure.

Please suggest solution or existed library which can help me to use SSO without external registration.


I needed the exact same solution for a client I was working for, I did the research and the only good solutions that I found where either too complex and not well documented or too expensive (I forgot which companies I looked into). So I decided to build a custom solution. This is a short summary of the solution implemented: In order to make things more clear let's call "nodes" the domains where you wanted to authenticate a user, and "SSO" the provider of the authentication. I used a solution that is similar to the one in the link you posted HOWEVER I used the Asp.Net security cookie whenever I wanted to authenticate a node, and also to authenticate the SSO website:

HttpCookie formsCookie = FormsAuthentication.GetAuthCookie(userName, false, HttpRuntime.AppDomainAppVirtualPath); 
HttpContext.Current.Response.Cookies.Add(formsCookie);

This also allowed me to not have to query back the SSO provider for each web request as the example you posted seem to do. I used a new AuthenticationKey for each time I wanted to communicate from the SSO provider back to the node that the authentication was successfull. Also I added some security features like encrypted communication and that the key could only be valid a max of 2 seconds (the time for the SSO to pass it to the node) and as soon as it was used it would be deleted. I believe this solution is safe enough, however using an external ready made solution is surely safer.

It took me only a few days to implement the whole solution, so it's not too long of a task. However I cannot share the project as I am not sure the client would agree. I hope those suggestions might help you.

Let us know what you decide to do in the end.

0

精彩评论

暂无评论...
验证码 换一张
取 消