Building a Single Sign On Provider Using ASP.NET and WCF: Part 4
Implementing a Single Signon Provider
This is all a rehash since I’ve covered each point in detail to this point, but I’d like to tie everything together at this point and provide the source code. If you’d like detailed descriptions about how/why review the previous 3 parts. The full source code will be available here.
- When an unauthenticated client requests a secured resource from the application that client is redirected to an authentication page.
- The authentication page makes a request (via JSONP) to the SSO service for a token which can then be presented to the application as evidence of the client’s identity with the SSO service.
- If the client has already authenticated with the SSO service and has an active session then skip to step #7 otherwise the request is denied.
- An unauthenticated client (SSO authentication) is redirected to a login page where the client then submits credentials for the SSO service.
- Upon submitting a valid set of credentials to the SSO service the client receives a cookie containing a token which is valid for the SSO service.
- Now that the client has successfully authenticated with the SSO service the client is redirected back to the application’s authentication page (step #2).
- The client now submits the SSO token to the application. The application verifies the token with the SSO service by forwarding it and asking if it is a valid token.
- The SSO service responds to the application with a flag indicating wither or not the submitted token is valid or not. Potentially, the SSO service could also provide additional information regarding the identity of the client. If the token was valid, the application then responds to the client with a token of it’s own which identifies the client to the application.
- The client, now authenticated with both the SSO service as well as the application, resubmits the request for the resource from step #1.
We’re using the FormsAuthentication API within WCF to manage identity
Web Application Client
Web.Config – system.serviceModel definition
For the web application all that is required is to call the ValidateToken method of the SSO service and then provide the client with a token that identifies the client for the ASP.NET application (Authenticate method calls FormsAuth.SignIn()):
At this point you have everything you need to implement an SSO provider using ASP.NET. In theory, if you know how to setup WCF to communicate with other platforms other than the .NET Framework (something that is beyond the scope of this article) your SSO service can be used across platforms as well as domains.
If the scope of the applications you are targeting is smaller (they’re all part of the same domain or even on the same machine) there are certainly simpler ways to accomplish the same result with less effort. This is an example of a provider which can cover a group of applications from any domain and across any platform/hardware boundaries.
I’ve really learned a lot in this exercise, thanks for following me through this. I hope you enjoyed it as well.