ASP. NET 2.0: Implementing Single Sign On (SSO) with membership API

The membership API is awesome. no doubt about that. but I wish it had a more obvious in-built support for SSO. the only authenticate method takes in a username and password, there is no support for a token based system. also, if you did add another method to verify against a ticketing authority-the membership API simply ignores it.

So the question is, how to do SSO using the membership API-custom provider or otherwise.

Now ASP. NET has 3 kinds of authentication-

Passport-nobody uses it anymore, and that is SSO by definition anyway.
Windows-SSO is like a moot point here.
Forms-this is where the problem begins. So thats all I'm gonna discuss here.

Well, Single Sign On is almost always implemented using a central ticketing authority. the idea being similar to the concept of visiting a bar. you get a "token" stamped on the back of your hand as you walk into the bar, and then everywhere in the bar, you are recognized as "over 21 ".

Similarly, in a ticketing based SSO implementation, a central ticketing authority issues you a "ticket" at logon. then you can integrate with any other system by passing the "ticket", rather than your authentication credentials. then as long as the protected system can verify the "ticket" as being valid, you're in. else, you're out.

Anyway, so the first thing you need to do isSetup a ticket verification WebService. The idea being, anytime you successfully authenticate, you will be issued a ticket, which will ideally be a guid, stored as cookie that expires when the user hits the cross button on his browser. then you can circumvent the membership API's "authenticate" method, by instead verifying the ticket-if one is present.

So lets assume that the ticket is being passed as a querystring called "ssotoken". Obviously,If someone else sniffed your ticketid, then he cocould masquerade as you-so this approach requires some kind of encryption.

So in the page_load for your login. ASPX page, write the following code-

Protected VoidPage_load (ObjectSender,EventargsE)

{

StringUnescapedtokenid =Uri. Unescapedatastring (request. querystring ["Returnurl"]);

StringTokenid = parseurl (unescapedtokenid );

 

 

If(Istokenvalid (tokenid ))

{

Formsauthentication. Setauthcookie (GetUserName (tokenid ),False);

Response. Redirect (unescapedtokenid );

}

}

 

Basically "tokenid" is the token that was passed in as querystring (or any other means), and istokenvalid queries the ticketing Web service to check the validity of the ticket. the parseurl method is simply some magic to seperate out querystring peices out of the URL contained in the "returnurl" query string. if you're interested, the code for that looks like as below-

Private StringParseurl (StringUnescapedtokenid)

{

UribuilderBldr =New Uribuilder("Http: // dummyurl"+ Unescapedtokenid );

QuerystringparserColl =New Querystringparser(Bldr. query );

ReturnColl ["Ssotoken"];

}

 

The querystringparser class looks like this-

Internal Class Querystringparser: System. Collections. Specialized.Namevaluecollection

{

InternalQuerystringparser (StringS)

{

If(S. length! = 0) S = S. substring (1 );

IntNum1 = (s! =Null)? S. Length: 0;

For(IntNum2 = 0; num2 <num1; num2 ++)

{

IntNum3 = num2;

IntNum4 =-1;

While(Num2 <num1)

{

CharBytes = s [num2];

If(Bytes ='=')

{

If(Num4 <0)

{

Num4 = num2;

}

}

Else If(Bytes ='&')

{

Break;

}

Num2 ++;

}

StringText1 =Null;

StringText2 =Null;

If(Num4> = 0)

{

Text1 = S. substring (num3, num4-num3 );

Text2 = S. substring (num4 + 1, (num2-num4)-1 );

}

Else

{

Text2 = S. substring (num3, num2-num3 );

}

Base. Add (Httputility. Urldecode (text1,Encoding. ASCII ),Httputility. Urldecode (text2,Encoding. ASCII ));

 

If(Num2 = (num1-1) & (s [num2] ='&'))

{

Base. Add (Null,String. Empty );

}

}

}

}

Thats it !! Put all these together, and you have at your hands SSO using membership API.