Publish Article
Go Freelance

Single Sign On By Sharing Authentication Ticket and Session ID

For those who are not familiar with concept of single sign on (SSO), this means is a mechanism where muliple applications use one place to authenticate. From a user's point of view this means that he or she does not have to log into every single application when he or she moves between applications. A very common example of this will be Microsoft Passport technology. You create one passport account and whenever you visit some application that uses Microsoft Passport as single sign on mechanism, you get redirected to Microsoft's site to authenticate and then redirected back to your original application. Once you are signed on, then you do not have to login again for any other application that uses Passport as authentication mechanism.

But when you have multiple ASP.Net applications in same domain then you can leverage ASP.Net forms authentication ticket to implement poor man's single sign on. This mechanism only works if all applications are in same domain for example I have 3 applications under same domain games.netomatix.com, forums.netomatix.com, store.netomatix.com. I will use these 3 sites as example to explain how single sign will be implemented.

Lets first see what happens in forms authentication in ASP.Net. You enable the site to use forms authentication by adding following entries in web.config file of your application.

<authentication mode="Forms">
  <forms name="FooBarCookie" loginUrl="/Forums/login.aspx" timeout="60"/>

When a user tries to access the site, he gets directed to login page. After authentication, application drops a authentication cookie on user's machine. This cookie has session id and is encrypted. Encryption is the important piece of the puzzle. For encryption you need some key to encrypt the data. You ask the question, where is this key. Default settinng for ASP.Net is "Autogenerate". What this means is that when an ASP.Net apslication starts, framework generates a new validation and encryption key and stores it inside the application. As long as the application stays alive these keys do not change. These keys get used to encrypt authentication ticket and store as cookie on user's machine. On subsequent requests the framework will use these auto generated keys to decrypt the authentication ticket and validate user's session.

With this information in hand, now we can establish that if two applications can share authentication cookie and both are able to decrypt the cookie then our job is done. So we just need a mechanism for both application to share the cookie and share the encryption keys. Since we are trying to accomplish single sign on for applications in same domain, so they all will be able to share the authentication cookie if its named same in all of them. Now to share the encryption and decrytion keys, we just need to explicitly define these keys in all application instead of using "Autogenerate" and we are done.

Translating the above discussion in actual implementation, these are the steps you will be taking.

  • 1. All SOS application should be in same domain.
  • 2. Make all applications to use forms authentication and make sure that cookie name in "forms" settings is same.
  • 3. Generate verification and decryption key and put those in all the application.

So this is how your settings in web.config are going to look like.

<authentication mode="Forms">
	<forms name="FooBarCookie" loginUrl="/Forums/login.aspx" timeout="60"/>
validation="SHA1" decryption="AES"
Go Freelance
Home     About us     Contact us    Copyright    Privacy Policy    Return Policy    Advertisers
Copyright © Netomatix