Results 1 to 18 of 18

Thread: Single Sign On Implementation

  1. #1

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Question Single Sign On Implementation

    Hi,

    I am looking in to implementing a single sign on for a number of in house applications.

    I am thinking of making it a web service that initially queries the active directory to see if the staff member logging in actually is allowed on the network. As far as i can make out, this should be relatively easy.

    I can then have a login control that can be added to each application that accesses the web service to authenticate each user.

    A database will be implemented and will be checked after the Active Directory LDAP query to see which applications the user has access to and the rights they have in that application.

    How best would i be able to check that the application being signed into is in the list of accessible applications for the given user?

    Does this sound like the best way to do such a thing?

    Any help or links on this matter would be much appreciated.

    Thanks in advance

    Grant

  2. #2
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    Depends.

    My question for now is, why aren't these in-house applications performing the check for whether the user has permissions to access it? Why must this depend upon an external application?

  3. #3

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Re: Single Sign On Implementation

    They do check if the user can access the app. I was wanting to make a single signon app so that it is centralised for all in house apps. Is it better practice to let each individual program check a database to see who has access?

  4. #4
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    In my experience with in-house apps, yes. Because each app already authenticates users when they login with Windows authentication and may have their own logic for allowing a user access.

    Since you say that the applications are already doing this, doing it externally is redundant.

    Now, by single sign-on, do you mean a single page, with links to each app, where you'd like to pass credentials to the individual apps and let them perform authentication?

  5. #5

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Re: Single Sign On Implementation

    What i had in mind was a web service that dealt with all of the authentication through LDAP, ensuring the users are in the Active Directory. I also envisaged a web control which had the username, password, domain boxes etc which would comunicate with the Webservice. This web control could be dragged on to the login page of any application hence authenticating them with the network.

    I had wondered about replacing the seperate system authentications with a page allowing users to select an app (which they have access to) to connect to. This as you have just mentioned may well be better left with the individual applications.

    Does that make more sense or am i way of the mark with the single sign on idea?

    Thanks for the input.

  6. #6
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    1. When you use Windows Authentication on an app, they are automatically authenticated with the network.

    Now you have two options. On the page that links to all the in-house apps,

    a) You can simply create a link to each of those apps
    b) You can have Windows Authentication enabled on YOUR page, and, when sending the user to the other apps, you pass their windows authentication information so that they needn't login again there. This way, the credentials are passed to those apps, yes, and THOSE apps check security levels, etc., etc.

    What do you think now?

  7. #7

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Re: Single Sign On Implementation

    What do you think now?
    I think its getting late on a Monday afternoon and my head hurts

    On a serious note, the second option mentioned seems to be preferable. If i pass the details through to the apps and let them deal with their own security. Using this method i'm still not able to hide the apps that certain users haven't got rights too.

    I'll have to give this thought as to how to implement the system but your help has put things into perspective.

    The only query i would have now, and i never mentioned this previously. If at any point a serious change to data is made in one of these systems, a user is required to digitally sign the chnage off. This involves them authenticating themselves again.
    Initially i had thought with the web control suggestion i could just drag it on to the sign-off page. This isn't a major problem at present but one i'll have to look at eventually.

    You've been a great help on this. Thanks, and no doubt i'll post again on this matter

    Grant

  8. #8
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    For implementation, you want to look at how to pass credentials between ASP.NET applications.

  9. #9

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Re: Single Sign On Implementation

    Ok,

    I'm now extremely confused. How can i go about having a logon page which checks the active directory to ensure the user is there and then checks for that user in the application database to get the user role. I have something at present that is based on windows authentication. From what i can see however the user details are authenticated already without the user needing to login to the system. I'm sure i'm just getting confused but i'm not having any joy.

    I have declared a class which defines my custom principal, and using this combinded with the events Application_AuthenticateRequest, and WindowsAuthentication_OnAuthenticate in the Global file I have tried to implement the authentication process.

    Code:
    protected void Application_AuthenticateRequest(Object sender, EventArgs e)
    		{
    			
    			FormsAuthenticationTicket formsAuthTicket;
    			HttpCookie httpCook;
    			GenericIdentity objGenericIdentity;
    			myAppPrincipal objMyAppPrincipal;
    			string[] strRoles;
    
    			httpCook = Context.Request.Cookies.Get("authCookie");
    			formsAuthTicket = FormsAuthentication.Decrypt(httpCook.Value);
    			objGenericIdentity = new GenericIdentity(formsAuthTicket.Name);
    			strRoles = formsAuthTicket.UserData.Split('|');
    			objMyAppPrincipal = new myAppPrincipal(objGenericIdentity, strRoles);
    
    			HttpContext.Current.User = objMyAppPrincipal;
    
    		}
    
    protected void WindowsAuthentication_OnAuthenticate(Object source, WindowsAuthenticationEventArgs e)
    		{
    			
    			//Check if cookie exists. Return if it does.
    			if(Request.Cookies.Get("authCookie")!= null)
    				return;
    
    			string strUserIdentity;
    			string strUserRoles;
    			FormsAuthenticationTicket formsAuthTicket;
    			HttpCookie httpCook;
    			string strEncryptedTicket;
    
    			strUserIdentity = e.Identity.Name;
    			string tempStr = e.Identity.IsAuthenticated.ToString();
    
    
    			Usr curUsr = new Usr(strUserIdentity);
    			strUserRoles = curUsr.getRoles();//GetUserRoles(strUserIdentity); // Will have to obtain roles from database
    			formsAuthTicket = new FormsAuthenticationTicket(1, strUserIdentity, DateTime.Now, DateTime.Now.AddMinutes(20), false, strUserRoles);
    			strEncryptedTicket = FormsAuthentication.Encrypt(formsAuthTicket);
    			httpCook = new HttpCookie("authCookie", strEncryptedTicket);
    			Response.Cookies.Add(httpCook);
    
    		}
    If anyone can help further, their help is also appreciated.

    Thanks

  10. #10
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    First.

    You have set Windows Authentication on your application. This means your code is to assume that the user has been authenticated against Active Directory. Do not waste your efforts on authenticating him again.

    Second.

    Get the user's identity by using

    System.Web.HttpContext.Current.User.Identity.Name

    You can then use this value for whatever it is you're doing or have decided to do, which I'm unaware of at this point... but I think you'd take this value and compare it against the users table of whatever applications' databases.

  11. #11

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Re: Single Sign On Implementation

    So, using the windows authentication, i do not need the logon page at all because the user is logged on to the PC with a windows account hence is authenticated? correct me if i'm wrong as i more than likely am in this case.

    I then just use the current user identity for (and you are correct in guessing) comparing to the users table in the database.

    Thanks, your patience is appreciated

  12. #12
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    Yes.

    In fact, you can try this out right now.

    Create a very simple ASP.NET Application. Compile it, blah blah blah.

    In IIS, in the Virtual Directory's properties, under Directory Security, enable Windows Authentication.

    Now attempt to access this application from another computer in your network. You will get a login prompt for that page.

    That is where the authentication is taking place.

  13. #13

    Thread Starter
    Addicted Member
    Join Date
    Sep 2003
    Location
    Bonny Scotland
    Posts
    141

    Re: Single Sign On Implementation

    Ok, is becoming a bit clearer. If i'm not pusihing my luck by asking, Does it matter if i test this with Anonymous access checked or unchecked?

    I have tried the simple app and it doesn't prompt for a logon from another PC, is this because the other PC is logged into the domain by another user?

    Thanks
    Last edited by MadCatVB; Mar 8th, 2006 at 11:15 AM.

  14. #14
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    Yes, because then it will login with the anonymous account credentials, IUSR_SOMETHING.

  15. #15
    PowerPoster Dave Sell's Avatar
    Join Date
    Mar 2004
    Location
    /dev/null
    Posts
    2,961

    Re: Single Sign On Implementation

    How does the server-side ASP.NET app get access to which user is then logged in?
    Nobody knows what software they want until after you've delivered what they originally asked for.

    Don't solve problems which don't exist.

    "If I had eight hours to cut down a tree, I'd spend six hours sharpening my axe." --- Abraham Lincoln (1809-1865)

    2 idiots don't make a genius.

  16. #16
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    You mean in code? Use User.Identity.Name.

    Or are you asking about the inner workings?

  17. #17
    PowerPoster Dave Sell's Avatar
    Join Date
    Mar 2004
    Location
    /dev/null
    Posts
    2,961

    Re: Single Sign On Implementation

    just in code, yes. Thanks!
    Nobody knows what software they want until after you've delivered what they originally asked for.

    Don't solve problems which don't exist.

    "If I had eight hours to cut down a tree, I'd spend six hours sharpening my axe." --- Abraham Lincoln (1809-1865)

    2 idiots don't make a genius.

  18. #18
    I'm about to be a PowerPoster! mendhak's Avatar
    Join Date
    Feb 2002
    Location
    Ulaan Baator GooGoo: Frog
    Posts
    38,170

    Re: Single Sign On Implementation

    Phew, thank goodness.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  



Click Here to Expand Forum to Full Width