Tuesday, April 03, 2007

Single Sign on between Form Authentication Applications

    In my recent interview, I faced an interesting question. "Can we use single sign on for diffrent Form Authentication Sites?". Obviously my answer was "No Idea". After that I search on net for this and found that, yes !! we can do that. Below is the way to achieve this.


SSO for parent and child application in the virtual sub-directory
Lets assume that we have two .NET applications - Foo and Bar, and Bar is running in a virtual sub-directory of Foo (http://foo.com/bar). Both applications implement Forms authentication. Implementation of Forms authentication requires you to override the Application_AuthenticateRequest, where you perform the authentication and upon successful authentication, call FormsAuthentication.RedirectFromLoginPage, passing in the logged-in user name (or any other piece of information that identifies the user in the system) as a parameter. In ASP.NET the logged-in user status is persisted by storing the cookie on the client computer. When you call RedirectFromLoginPage, a cookie is created which contains an encrypted FormsAuthenticationTicket with the name of the logged-in user . There is a section in web.config that defines how the cookie is created:

<authentication mode="Forms">
   <forms name=".FooAuth" protection="All" timeout="60" loginUrl="login.aspx" />

 <authentication mode="Forms">
   <forms name=".BarAuth" protection="All" timeout="60" loginUrl="login.aspx" />

The important attributes here are name and protection. If you make them match for both Foo and Bar applications, they will both write and read the same cookie using the same protection level, effectively providing SSO:

<authentication mode="Forms">
   <forms name=".SSOAuth" protection="All" timeout="60" loginUrl="login.aspx" />

When protection attribute is set to "All", both encryption and validation (via hash) is applied to the cookie. The default validation and encryption keys are stored in the machine.config file and can be overridden in the application’s web.config file. The default value is this:

<machineKey validationKey="AutoGenerate,IsolateApps" decryptionKey=" AutoGenerate,IsolateApps" validation="SHA1" />

IsolateApps means that a different key will be generated for every application. We can’t have that. In order for the cookie to be encrypted and decrypted with the same key in all applications either remove the IsolateApps option or better yet, add the same concrete key to the web.config of all applications using SSO:

<machineKey validationKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902" decryptionKey="F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902F8D923AC" validation="SHA1" />

      I found one good artile on this here

Happy Programming !!

1 comment:

Anonymous said...

It is very interesting for me to read that post. Thanks for it. I like such topics and everything that is connected to them. BTW, why don't you change design :).