Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
755 views
in Technique[技术] by (71.8m points)

asp.net mvc 4 - How to Implement Single Sign On in MVC4

How to implement Singel Sign On (SSO) in cross domain MVC4 Web Applications

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

Same domain SSO could be easily achieved by setting the domain property of the forms authentication cookie to the root domain and configuring the same machine keys for both applications.

Cross domain SSO is more challenging. There are different techniques to implement it. For example StackExchange uses HTML5 Local Storage. Their mechanism is described in this blog post.

Here are some of the basic steps:

  1. Setup a master domain for users to logon. For example logon.com
  2. When a non-authenticated user attempts to access a protected resource on some of the 2 applications he is redirected to the logon domain for authentication.
  3. The user authenticates and the logon domain generates a session identifier containing the username of the logged in user. This session id is encrypted using symmetric algorithm with a shared secret between the 3 domains. The logon domain also sets a forms authentication cookie to indicate that the user is already authenticated there.
  4. The logon domain redirects back to the protected resource passing along the session identifier.
  5. The application holding the protected resource decrypts the session id to extract the username and set a forms authentication cookie on its domain.
  6. The user requests a protected resource on the second domain.
  7. Since he is not yet authenticated he is redirected to the logon domain.
  8. The user is already authenticated on the logon domain and a session identifier using the same technique is generated and passed back
  9. The second domain decrypts the session identifier to extract the username and emit a forms authentication cookie for the second domain.

As an alternative to encrypting the username into the session identifier, the logon domain could simply store this information into a shared (between the 3 domains) data store and the session identifier will simply be an identifier of this record so that the other domains could retrieve the username from this shared data store.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...