The most used authentication type under ASP.NET in a web environment is the Forms Authentication. Sometimes we need multiple applications, each one implementing its own authentication, to share authentication data between other applications, so that if a user logs in one application, he doesn't need to sign in again when accessing the other applications.
Machine Key
The
machineKey element of the web.config file is used to specify keys for encryption and decryption of forms authentication cookies and view state data, and also when dealing with out of process session state.
The default configuration uses auto generated decryption key and validation key, and SHA1 encryption type.
Using the default configuration, different web applications have different decryption and validation key, since they are randomly generated. To force 2 applications to use the same keys, they must be explicitly defined i
n the web.config file
A complete description of the
machineKey element is available
here
Single Sign On
Single Sign On (SSO) is a term used to indicate when a pool of applications need a centralized authentication, so that users login once and access to any application.
Implementing a single sign on is quite simple, and can be done by configuring the applications using the web.config file.
A default configuration for forms authentication is defined as follows:
<configuration>
...
<system.web>
...
<authentication mode="Forms">
<forms name=".cookiename"
loginUrl="~/Login.aspx"
timeout="30"
path="/" />
</authentication>
...
</system.web>
...
</configuration>
Form Authentication
Forms Authentication uses an authentication ticket stored in either a cookie or embedded in the url.
When used in cookie mode, the cookie contains authentication data, encrypted so that data can be read by the application who has created the cookie.
Cookies are associated to 2nd level domains (example.com), and can be accessed from any 3rd level domain (www.example.com, test.example.com, and so on).
where .cookiename, by default, is .ASPXFORMSAUTH.
In order for authentication data to be recognized across multiple applications, each application must be configured to use the same values for cookie name, protection and path attributes. But this isn't enough - in fact, they must also have the same machine key values (see the side box for more info about the machineKey element). These information are used to encrypt the forms authentication cookie, as mentioned in the "Forms Authentication" side box.
Below a sample web.config excerpt which must be added to each application we want single sign on enabled. In this sample, the validationKey and encryptionKey attributes must be replaced with unique values you have to generate for your applications pool.
<configuration>
...
<system.web>
...
<authentication mode="Forms">
<forms name=".cookiename"
loginUrl="~/Login.aspx"
timeout="30"
path="/"
/>
</authentication>
...
<machineKey
validationKey=
"F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902"
encryptionKey=
"F9D1A2D3E1D3E2F7B3D9F90FF3965ABDAC304902F8D923AC"
validation="SHA1"
/>
...
</system.web>
...
</configuration>
Second and third level domains
If the cooperating applications are installed under the same 2nd and 3rd level domain, but on different virtual folders, then no additional code is required.
If applications are installed on different second level domains (www.domain1.com and www.domain2.com), the SSO method described in this article won't work, since cookies cannot be read by applications under different second level domains. For example, if application A in domain1.com issues a cookie, the cookie may be read by A itself and any application hosted under www.domain1.com and any other 3rd level domain (test.domain1.com, beta.domain1.com, and so on). Application B in domain2.com isn't able to read the cookie, since it is hosted under a different second level domain.
If cooperating applications are installed on different third level domains, then we need to add some code in order to make SSO work. The code simply has to add the domain name to the authentication cookie, as outlined below
protected void Login (string strUserName, ...)
{
...
System.Web.HttpCookie cookie;
cookie = FormsAuthentication.GetAuthCookie(strUserName, False);
cookie.Domain = "domain1.com";
cookie.Expires = DateTime.Now.AddDays (-1);
Response.AppendCookie (cookie);
...
}
Cookie Expiration
If different applications set different cookie expirations, the actual expiration value is the one set by the application which issued it. So if application A is configured to set an expiration of 1 hour and application B 2 hours, and the user signs in using application B, then the cookie expiration is set to 2 hours.
Logging out
Usually, in order to log out a user, a call to the Authentication.SignOut() method is used - this isn't enough when using SSO. In order to perform a single sign out, the quickest way is to set the cookie expiration to a past date - this ensures that the cookie won't be used by any application for authentication.
protected void Logout (string strUserName)
{
System.Web.HttpCookie cookie;
cookie = FormsAuthentication.GetAuthCookie(strUserName, false);
cookie.Domain = "domain1.com";
cookie.Expires = DateTime.Now.AddDays (-1);
Response.AppendCookie (cookie);
}