Single Sign On For Applications Under Same Domain

Introduction

This tip is supposed to give a working explanation of implementing a single sign on (SSO) in ASP.NET applications which are hosted under the same domain.

Background

The tip assumes that the user has basic knowledge on application login and ASP.NET forms mode authentication.

Using the Code

Implementing Single Sign On (SSO) is not of much complexity if you are trying to achieve between applications hosted under same domain names. To explain in detail, say you have a domain with the name www.MainStudio.com and you want to host 2 or more other applications under the same domain, i.e., www.MainStudio.com/DirectorsApp and one more say www.MainStudio.com/ActorsApp assuming these two App's have a separate login and we must allow the same set of users to access both the Apps with one time login in either www.MainStudio.com/DirectorsApp or www.MainStudio.com/ActorsApp. To achieve this, we use the power of ASP.NET Forms Authentication and by adding few entries in WebConfig files.

Forms Authentication

So let us first authenticate a user once he has logged in to the application. Place the below code in your login method after the login is successful.

var emailId = UserEmailId; \\ This is the logged in user email id 
var cookie = FormsAuthentication.GetAuthCookie(emailId, false);
var ticket = FormsAuthentication.Decrypt(cookie.Value); 

var newTicket = new FormsAuthenticationTicket( ticket.Version, // ticket version
ticket.Name, // authenticated username 
DateTime.Now, // issueDate 
DateTime.Now.AddMinutes(30), // expiryDate
isPersistent, // true to persist across browser sessions
userData, // can be used to store additional user data, I normally set Json data of the user
	//which I can later use by reading the auth cookie.
ticket.CookiePath); // the path for the cookie 

cookie.Value = FormsAuthentication.Encrypt(newTicket); 
cookie.Expires = newTicket.Expiration.AddHours(1);
this.Context.Response.Cookies.Set(cookie);

The above code is self explanatory. We create a cookie for the logged in user email id and then decrypt the cookie value to a ticket. Create a FormAuthenticationTicket called <font style="background-color: white;">newTicket</font> by setting up the required parameters and add this <font style="background-color: white;">newTicket</font> to the already created cookie and set this cookie in the Current user context. This way, we will have the logged in user authentication cookie ready to share between all the applications under the same domain umbrella.

WebConfig File Settings (Adding machine Keys)

Now the authentication cookie is ready to share among all the applications under same domain name. But it is not accessible from other applications unless we do one more thing "Setting up machine keys in both the application's WebConfig files". Once we add these machine keys, we are good to experience the SSO feature real time. Place the below code in your web config file.

<system.web>
<machinekey decryptionkey="684FC9301F404DE1B9565E7D952005579E823307BED44885" 
validationkey=""> </machinekey>
</system.web>

Note: All the applications which will use the SSO feature must make use of the same machine key values and must implement forms mode of authentication (Forms Authentication). Forms Authentication is useful if you want the Single Sign Off to work as well. You can sign off from forms authentication by using one line of code:

FormsAuthentication.SignOut();

which would sign out the user from all the applications under SSO.

Known Issues

One of the issues I faced was one of my applications was targeting .NET framework 4.0 and the other .NET Framework 4.5. This was limitation for SSO to work as the 4.5 application couldn't read the cookies set by 4.0 application. But vice versa was working. I had to add one more entry into the WebConfig machine key element of the 4.5 application to tell it to accept cookies from older versions. The change is as below:

<machineKey validationKey="BD52058A3DEA473EA99F29418689528A494DF2B00054BB7C" 
decryptionKey="684FC9301F404DE1B9565E7D952005579E823307BED44885" 
compatibilityMode="Framework20SP2" />

Note the new entry made as:

compatibilityMode="Framework20SP2"

That's it... Now you must be able to get your SSO working.