0

We are trying to implement single sign on for two different web application located at different domain

  1. WebApplication 1 (this will act as a front end where user log in)

  2. WebApplication 2

the basic usage idea will be

  1. User sign in trough a login screen in WebApplication 1

  2. User click on a link in WebApplication 1 which will then open a popup screen to WebApplication 2 without signing in again

Now in order to achive this we created an ETL script which runs every 1 hour to synchronize the user and group accounts from web application 1 database to web application 2 database

Question

  1. is there a better way to achieve single sign on rather then writing a script that synchronize user account every 1 hour?

  2. I have read new technology call WIF(Windows Identity Foundation) that is built in to .net framework 4.5 will this help to solve my issue above?

Rytis I
  • 1,105
  • 8
  • 19
CliffC
  • 903
  • 1
  • 10
  • 18

1 Answers1

1

Running a script every hour is not a good idea as it be overhead on the server

To achieve single sign on for the different domain can be bit tough but not really impossible, It becomes difficult only because we cannot share the cookie across different domain. So we can have one different server for single sign on

  1. When the user visit the web-application 1, redirect user to SSO server.
  2. Once the user is redirected to the SSO server, check if the cookie exist, as its for the first time there will be no cookie so show the login page which is hosted on SSO server.
  3. After getting the credential from the user validate the user
  4. If the user is valid, generate a token now this token can be unique hexadecimal number or hash for the timestamps.
  5. Set this token into the cookie on the SSO server and redirect the user back to the original site or success page
  6. Now when user visit the web-application 2, redirect the user to the SSO server again
  7. Once user comes to SSO, check for the cookie, if it exist and not expire then redirect user directly to the success page without asking for login credential again or show the login page and follow the drill again

As we are redirecting the user on the different server, we can set the cookie there with the common name as 'SSOcookie' and every time access the same when coming from different application. This will help you to achieve single sign on for different domain.

Sarang
  • 754
  • 3
  • 9
  • 24