Create single sign on (SSO) between multiple applications in different domains using ASP.NET membership provider

Standard

Note: this solution need the cookie enabled on the client browser.

Overview

Suppose you have two web applications (asp.net or SharePoint) and you have one asp.net membership provider database for both what you will did to create single sign on between these two applications ?

because these two web applications will use one membership database so once the user will login from any login form control in any application of them , the membership and forms authentication classes will manage this and once you logged in from any of them you will logged in to the other  if your applications in the same domain even they are hosted in different servers.

The Problem

the problem is that membership using  special cookies putted in the client side , cookies always  related to the domain , so  try to get the cookie putted by the first application in the first domain by the second application in second domain you will not find it becuase each application can only see the cookies related to its same domain ! !

Login Form Control , how it works ?

Login form control used System.Web.Security.Membership  , System.Web.Security.MembershipUser and System.Web.Security.FormsAuthentication classes to do this , these is main steps that Login Form control did to authenticate the user:

1-Validate the user using Membership.ValidateUser(ustring sername , string password) method , it will return a Boolean number indicates the user login information  is valid or not.

2-Get MembershipUser object for this user by using Membership.GetUser(username) method that return an object from MembershipUser

3-Some checks about the user status like the user is Locked Out  or not , the user  is approved or not , these checks based on your configuration (for example you will not permit users that are not approved to login) , these checks are done by using MembershipUser attrbuites like MembershipUser.IsLockedOut  and MembershipUser.IsApproved , etc… you can discover it

4-Put a cookie in the client to detect the user every time he/she logged in

What is the problem when host these two web applications in deffrent domains ?

Solution for single sign on (SSO)  with custom logins pages  impletining the same Login Form control mechanism

We will implement the same mechanism with the our custom  login forms and .Net classes that the LoginForm control uses it

1-Create customlogin forms rather than using the LoginForm control , for sharepoint users its easy just create your form in a new page that implement the SharePoint master page then change the login page url from your sharepoint web application web.config file in this section (this section will created by you when you enable forms authentication in SharePoint we will discuss this topic in another post soon)

<authentication mode=”Forms”>
<forms loginUrl=”/YourLoginPageURL.aspx”>

2-With the same mechanism we discussed above for LoginForm control , In the event handler of the login button  (in both applications) add the code to check the user  and set the cookie (this cookie will related to this domain )(complete code below)

3-After set the cookie we will redirect to another code page (that we will create it as an authentication page) in the second application and we will send a flag (query string named username) that carry the username (for sure you must encrypt this query string then decrypt it in the redirected page)  and send another flag (BackUrl) that carry the URL for the default page for the first application.

4-Authentication page in the second application will receive the query strings then create another cookie from the username sent by query string (this cookie will have the same login information that inside the first cookie only each cookie related to his domain )and will redirect to the URL which  included in the Back URL parameter sent  by the login page in the query string also

This figure describe it

Single Sign One between multiple=

5-after this will finish the forms authentication will check the cookie in the first application its exists ,valid and related to the first domain ,  and forms authentication in the other application in the other domain also will check the same information exists but in the other cookie related to the other domain so the user will logged in into two domains

Easy you can Login from twice applications with the same mechanism (custom login page , authntication page) in each application

The Full Code For This Solution

Login Page


//txtUserName is the text box ID that will carry the user name

//txtPassword is the text box ID that will carry the password

//Check and validate the user is exists with the right user and password or not

if (Membership.ValidateUser(_txtUserName.Text, _txtPassword.Text))
{

// Get the MembershipUser object
MembershipUser user = Membership.GetUser(_txtUserName.Text);

//Check the user object is returned and the user is not locked from login , for sure you can do many checks as you need using //MembershipUser attrbuites like MembershipUser.IsApproved

if (_user != null)
{
if (_user.IsLockedOut)

{

//do something like display a message that this account is locked out

}

else

{

//set the cookie

FormsAuthentication.SetAuthCookie(_txtUserName.Text, true);

string url=string.format(“http://SecondApplicationURL/authntication.aspx?username={0}&BackURL={1}”,_txtUserName.Text,”http://FirstApplicationURL/deafult.aspx&#8221;);

Response.Redirect(url);

}

}

Authentication Page Code


string username= Convert.ToString(Request.QueryString[“username”]);

string backURL = Convert.ToString(Request.QueryString[“BackURL”]);

if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(backURL) )

{

FormsAuthentication.SetAuthCookie(username, true);

Response.Redirect(backURL);

}

Note: you must encrypt the query string then decrypt it from login page to authentication page , i didn’t include this part here for clear code so do it with your encryption way !

Thanks

Advertisements

33 thoughts on “Create single sign on (SSO) between multiple applications in different domains using ASP.NET membership provider

  1. Pingback: [RESOLVED]Forms Authentication across multiple applications | ASP Questions & Answers

  2. I dint get the above code working.. I have created a custom Login Page using farm solution and Application Page in SharePoint 2010
    .. i used the below code in Login Page Page Load event to bypass the Login Page..But it still shows me the Login Page asking me to enter credentials.. I need to develop Single Sign on Extended SharePoint Web applications. Kindly Advice..
    string username= Convert.ToString(Request.QueryString[“username”]);

    string backURL = Convert.ToString(Request.QueryString[“BackURL”]);

    if (!string.IsNullOrEmpty(username) && !string.IsNullOrEmpty(backURL) )

    {

    FormsAuthentication.SetAuthCookie(username, true);

    Response.Redirect(backURL);

    }

    • Did you written this code in the login page code behind ?

      if yes just put the login page under _layouts folder that it ca run in the context of SharePoint

    • Login Page is deployed to _Layouts folder and i was already running in the context of SharePoint. I had developed a application page which was deployed to Layouts folder..I am using built in login control of SharePoint.

    • When I implemented that solution I used a normal aspx page inside the layouts folder and the dll for it inside GAC , I didn’t implemented it as an application page because application pages needs a login to run for sure , for example if you tried to access the _layouts/settings.aspx it will gave you a login window so your application page also needs a login to open.

      Do it as a normal aspx page and put it under layouts folder it will work.

    • onr thing i would like to know whether you had implemented Single Sign On for SP2010 for extended web application of Claim based web application or Single Sign On for SP2007

  3. I like the valuable info you provide in your articles.
    I will bookmark your blog and check again here frequently.
    I am quite certain I will learn plenty of new stuff
    right here! Good luck for the next!

  4. I have just read about this article, and it seems to be interesting. but when i try to implement, i got questions. where can i put the authenticate.aspx? it is included in the VS sharepoint project or directly put under the web application folder?

  5. Hello

    How SSO will work with different application in different server.
    I mean my one application is hosted on one server and another is hosted in different server.

    Thanks
    JP

    • This solution is implemented for this case , each aspx page for login and for logout will be in both servers and there are a redirect between them in login and logout as the article desrcibed

  6. Pingback: SharePoint 2010: Posibilidades de Single Sign On desde aplicaciones ASP.NET! - Blog del CIIN

    • If you followed this solution you must did a logout pages that clear the cookies and when the user clicks on logout it will execute the logout.aspx code in the first server then redirect to logout in the other server also to clear the cookie their

    • just i used a normal asp.net page that inherits from Page class , the page is just to set the cookie so no need to inherit it from a specific SharePoint page type

    • It’s applicable for SharePoint 2010 and for any Asp.net application also , as you see we played around FBA with its cookies so any asp.net application can read this cookie also if you need to put a php application for example in this SSO role you only need to create a page that read the FBA cookie which we generated.

  7. Hi Wael,

    Any chance of having this work with windows-based authentication as the membership provider of the .net applications and sharepoint?

  8. Hey, I have implemented your solution but when logged out its only logout with one application not with both.
    Please help.

    • Its easy , just when the user clicked on logout redirect him to a page in the second application that contain some code to remove the cookie for this user then back again to the first application

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s