Access the cross domain single sign-on websites using .NET

Question

0.00/5 (No votes)

See more:

Let's say I have two websites that live on separate domains, and they have been authenticated with SSO login. I log into the first website and authenticate, and now I decide to visit the second website using a link visible in 1st website. This link redirect to the second website and no credentials needed. (Note that these websites are developed and hosted by some other company and I don't have access to the source code. I have one login credentials and I am expecting to access the page data of second website)

What I have tried:

I want to access the websites using .net code. I have done some work and gone up to accessing the link of first website using HTTP requests and cookies which redirects to the second website. But soon after I clicked the link it open domain 2 in new browser tab and generates new session id as well. It doesn't have any connection with first website cookie. But I can access the data of website 2 when I pass the URL and current session id of website 2 manually.

Is there any security mechanism behind SSO login which can be break through to access the common session Id for both website 1 and website 2?How can I find the connection between two domains when they have two session Ids. I can't post the codes here as it have some privacy information of my client.

Posted 20-Sep-16 6:30am

Muthu Karunarathna

Updated 26-Sep-16 22:28pm

v2

Add a Solution

Comments

Nathan Minier 21-Sep-16 7:50am

Sooo...pass the session Id as part of the link.

What's the issue?

Muthu Karunarathna 21-Sep-16 11:04am

session id is changing from 1st domain to 2nd domain.and there is no connection between cookies among two domains. If I start first request with 1st domain I should have a proper connection among cookies to go further. But in between it is lost. It works if I pass session Id manually. But it is not what I want.

Nathan Minier 22-Sep-16 7:50am

If you're accessing those sites from .NET code, you are building and sending HTTP packets (presumably using System.Net.Http.HttpClient). That means that you can build the headers at run time.

That means that your system can assign the Session-Id for the second site....at runtime.

Again, I don't understand the issue.

Muthu Karunarathna 22-Sep-16 8:23am

Please refer this link. I published it in .net forum and it might explains the problem clearly.
http://forums.asp.net/p/2104102/6082102.aspx?Re+Access+the+cross+domain+single+sign+on+websites+using+net

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Muthu Karunarathna · Accepted Answer · 2016-09-26T22:28:00

I solved the problem. There was SAML request and relay state which were sent to login server from both domains. Even though they are not identical, we have to consider them when access the form data. Also with cookies I had to send pls_login_cookietime specifically from the very first request to last request.

Ex:

var cookie =
new
{
pls_login_cookieTime = Cookietime.CookieValue("pls_login_cookieTime"),
pls_login_SimpleSAMLSessionID = HttpUtility.UrlEncode(login.CookieValue("pls_login_SimpleSAMLSessionID")),
TimeOutCheckID = login.CookieValue("TimeOutCheckID"),
pls_login_SimpleSAMLAuthToken = login.CookieValue("pls_login_SimpleSAMLAuthToken"),
pls_login_rememberme =login.CookieValue("pls_login_rememberme")

Here Cookietime and login are two different url accessing where CookieTime is the initial url and login includes the login server url. Even though login doesn't provide response cookie as pls_login_cookieTime, I had to pass it for final url as request headers.

They were very little confusions. If you use tools like fiddler to check http requests you can understand most of the part how they have manged cookies in multiple domains. Rest is in your hand. You have to think little bit hard and differently. But overall it is not difficult. It is just confused only.