Poor Man's SSO with Multiple ASP.NET Web Applications

It is quite straightforward to have (poor man's) single sign-on for multiple ASP.NET web applications without sourcing for an enterprise solution.

Based on the following premise:
  1. assuming the web applications are in the same domain 
  2. forms or custom authentication is used for the web application
In order to have things work, a couple of steps are required, namely:
  1. Enable Forms authentication for the relevant web applications, use:
    <authentication mode="Forms">
  2. Ensure that the validationKey and decryptionKey settings (under the machineKey element) are not auto-generated but are explicitly coded and shared across the relevant web applications (and web farm, if applicable).
    1. For IIS6, you can use this website to generate the keys
    2. For IIS7+, you can use IIS Manager to do so.
  3. Customise the name of the cookie (instead of the default .ASPXAUTH) but more importantly, set the cookie path to the default root "/" and the domain to a valid one, use:
    <forms name=".PoorMan.SSO" domain="?" path="/" requireSSL="true|false" timeout="30slidingExpiration="true|false" protection="All" />
  4. To determine if the user is authenticated, use: HttpContext.Current.User.Identity.IsAuthenticated
  5. To determine the identity of the authenticated user, use:  HttpContext.Current.User.Identity.Name
  6. To set the Session cookie after the custom authentication is successful, use: FormsAuthentication.RedirectFromLoginPage(username, false);
  7. To log-off the user, use FormsAuthentication.SignOut();
  8. Due to breaking changes in .NET 4.0, for mixed-mode deployment using different CLRs (i.e. CLR 2.0 and CLR 4.0), the machineKey needs to use the same (older) validation algorithm. CLR 2.0 uses HMACSHA1 while CLR 4.0 uses HMACSHA256. Use:
    <machineKey validation="SHA1">
Additional resources (often outdated) can be found:
  1. ASP.NET blog
  2. CodeProject
  3. Some product support pages
  4. MSDN site for forms element in Web.config

Comments

Popular posts from this blog

Understanding ITIL Service Management the UML way…

How to depict (Professional-Looking) Logical Network Diagrams in Astah