Understanding single sign-on in ASP. NET 2.0

Huilang note: this is an article I just saw. It feels good, so I can't help but translate it. You can read it more conveniently. Even if the English level is limited, I still hope to criticize and correct it. (if it is not limited, it is very bad, and the brothers are very cool ~~~).

Original article: Understanding single sign-on in ASP. NET 2.0

UnderstandingASP. Network 2.0Single Sign-on in

Published:16 Jan 2008

Summary

In this article, Masoud discusses the application of ASP. net, including: Membership providers, Web. config configuration, configuration file encryption and decryption, etc. At the end of the article, the author provides a program verified by ASP. NET login controls.
ByMasoud tabatabaei

Directory

:

• Introduction
• What isSSO? How does it work?
• System Conditions
• Work
• Download
• Conclusion
• Introduction

Generally, when you want to implement ASP. NET web application authentication, you need to create a login page for each application. Imagine that if you have two or more associated web applications, you may want to display only one logon page for all your associated applications through some mechanism. In this way, once you log on once, you can browse all associated programs without any additional logon. Single Sign-On (SSO) is an access control mechanism that allows a user to access all software system resources through one verification.

Imagine that you have created two or more web sites on your server. Like other Web sites, you only use the ASP. NET permission verification mechanism to verify your users. Therefore, you may need one or more logon pages for these sites. Now you are trying to prove how to achieve cross-program login by changing your configuration. In other words, we only want to configure a login page for our program, and once the user passes the verification, he can browse all other sites without another login. In the appendix of this article, you can also see how to encrypt your configuration file.

What is single sign-on? How does it work?

In many companies, they have systems that use web sites or Web applications as the presentation layer. Naturally, they will need to implement permission verification and permission verification systems through membership provider and role provider or custom Based on ASP. NET 2.0. By default, all sites have a login that determines whether the user's ID and password are valid in the database. aspx "Web form. when you only have one site or these sites are running independently, it is no problem to do so. But when you have two or more sites that are associated or linked together, you may ask: Why do you have to log on to each application once? Why can't you implement verification with only one "login. aspx" and truly unify all unrelated programs. Fortunately, in ASP. NET 2.0, you can use the same configuration to achieve cross-application access, whether it is your new site or an existing site.

In ASP.. Net configuration file (web. config. (in web) is named <machinekey>, which is used to encrypt and decrypt the cookie data and view-state data for permission authentication of forms (these forms can read form permission verification cookies, it is also responsible for verifying the out-of-process session Status identifier. Therefore, once the user passes the verification and a cookie is saved to the local computer, other applications with the same <machinekey> configuration can also identify this cookie as a valid Permission ticket. Therefore, the second login is no longer required in other applications with the same <machinekey> configuration.

Because the <machinekey> information is sensitive, you need to encrypt the information in the configuration file. To achieve this goal, I will use the configurationmanager class and its methods. There is also a class of sectioninformation, which contains the metadata of a single configuration section in the configuration. There is a method protectsection () in this class to decrypt the configuration section of your configuration file.

System Conditions

· A Web server running on Windows 2000 or later

·. NET Framework 2.0

· Visual maxcompute 2005

· Microsoft SQL Server 2005 express Edition

Now let's take a look at what happened in our project. I have a website (Aspalliance1The website contains a logon page named "login. aspx". You can use this page to verify permissions. There is also a page called "default. aspx" in this site, which has a header and some text andAspalliance2The link of the site. You will see that once this user logs on, he can navigate to other sites without the need for a second login. There is also a page "encryption. aspx" with two buttons for encryption and decryption to encrypt and decrypt the configuration file.

As I said before, you can achieve cross-application access by clicking a small configuration in your web configuration file. In the Web. config file, there is a configuration section named <system. Web>. We will make the same configuration for <system. Web>, just put the configuration section <machinekey> and its value in the <system. Web> Configuration section. <Machinekey> there are some attributes that I will configure. First, specify the encryption type used for verification. Validationkey defines the key used to verify and decrypt data. decryptionkey defines the key used to encrypt and decrypt data, or the key generation process.

List1:ConfigurationWeb. configInMachinekey

<Machinekey

Validationkey = "282487e295028e59b8f411acb689ccd6f39ddd21e6055a3ee480415315994760adf

21b580d8587db675fa02f79167413044e25309cccdb647174d5b3d0dd9141"

Decryptionkey = "8b6697227cbca902b1a0925d40faa00bda-f2df4359d2099"

Validation = "sha1"/>

This sample code is not encrypted and will not be published to the server. For security considerations, the <machinekey> encryption published to the server is very important. You can see the encrypted <machinekey> in Listing 2.

List2: Web. configEncryptedMachinekey

<Machinekeyconfigprotectionprovider = "rsaprotectedconfigurationprovider">

<Encrypteddatatype = "http://www.w3.org/2001/04/xmlenc#Element"

Xmlns = "http://www.w3.org/2001/04/xmlenc#">

<Encryptionmethodalgorithm = "http://www.w3.org/2001/04/xmlenc#tripledes-cbc"/>

<Keyinfoxmlns = "http://www.w3.org/2000/09/xmldsig#">

<Encryptedkeyxmlns = "http://www.w3.org/2001/04/xmlenc#">

<Encryptionmethodalgorithm = "http://www.w3.org/2001/04/xmlenc#rsa-1_5"/>

<Keyinfoxmlns = "http://www.w3.org/2000/09/xmldsig#">

<Keyname> RSA key </keyname>

</Keyinfo>

<Cipherdata>

<Ciphervalue>

Lm3mfpx/94zm3hgdbsmkiixbrwm14t3/ugxs40bfoahbiactwq3gvqusftofvuonvny01kgbceh10rveid

Djnz/8lubnocbhm8oljgplhvrt + rjc/lrpesjk2ni/jy2swkxlgejgsq1w5ne53gztg3s9hu + nk4owxnt

6z3v7am =

</Ciphervalue>

</Cipherdata>

</Encryptedkey>

</Keyinfo>

<Cipherdata>

<Ciphervalue>

Bceguv/dh1imbcm5vn0kn8nrd + Ex + kemenr7x + vekwt1zo6y5 + jryf4rdwmjcfj1jhc36 + mafcdhuxn0rp

B6hu5yutx9va5q5n0ngrs9aipg + 0ihuus3hdzqe3p6nli30m1h0pml1yjbovy0i6fbca6 + + gt2mdwclerk

+ Pvwmoq7p1q97n5pnznqhvkcx45lhs5ysvs + mjjxvetrcatftpvaucjlsncl2kmerzf5w/su3ableuy04w

Pipeline +

0 cefe/hj2chpyw =

</Ciphervalue>

</Cipherdata>

</Encrypteddata>

</Machinekey>

You can encrypt your configuration files through the configuration and sectioninformation classes. To encrypt and decrypt your <machinekey>, let's write some code. The sectioninformation class has a method protectsection (). You can obtain a string describing the protection provider, such as "rsaproctedconfigurationprovider", and encrypt this configuration section. There is also a boolean type attribute forcesave, which needs to be set to true when the Save method of the configuration class is required to save the configuration file. The Code on the "encryption. aspx" page contains two buttons to encrypt and decrypt the configuration file.

List3: WebConfiguration file encryption code

Protected void btnencrypt_click (Object sender, eventargs E)

{

Try

{

Configuration Config = webconfigurationmanager. openwebconfiguration (

"/Aspalliance1 ");

Configurationsection machinekeysection = config. getsection (

"System. Web/machinekey ");

Machinekeysection. sectioninformation. protectsection (

"Rsaprotectedconfigurationprovider ");

Machinekeysection. sectioninformation. forcesave = true;

Config. Save ();

Response. Write ("<H2 style = 'color: red'> encryption succeed </H2> ");

}

Catch (exception ex)

{

Response. Write ("<H2 style = 'color: red'> error while encrypting </H2> <br/> ");

Response. Write (ex. Message );

}

}

List4: WebConfiguration File decryption code

Protected void btndecrypt_click (Object sender, eventargs E)

{

Try

{

Configuration Config = webconfigurationmanager. openwebconfiguration (

"/Aspalliance1 ");

Configurationsection machinekeysection = config. getsection (

"System. Web/machinekey ");

Machinekeysection. sectioninformation. unprotectsection ();

Machinekeysection. sectioninformation. forcesave = true;

Config. Save ();

Response. Write ("<H2 style = 'color: red'> decryption succeed </H2> ");

}

Catch (exception ex)

{

Response. Write ("<H2 style = 'color: red'> error while decrypting </H2> <br/> ");

Response. Write (ex. Message );

}

}

Now you must set the same configuration in this site. First, you need to change the loginurl of your Form Verification Section. This form will be used to redirect anonymous users to the "login. aspx" page. But now it will redirect the user to the "login. aspx" page in the aspalliance1 site.

List5:SetWeb. configVerification Section in

<Authentication mode = "forms">

<Forms loginurl = "http: // localhost/aspalliance1/login. aspx" name = ". aspxauth"/>

</Authentication>

If you want to achieve cross-program login to many of your sites, the most important thing is that you must configure your two or more sites as the same <machinekey>. Therefore, I only need to copy and paste the <machinekey> Configuration section in the aspalliance1 site to the aspalliance2 site. Now you are ready to test your website.

List6:SetWeb. configInMachinekey

<Machinekey

Validationkey = "282487e295028e59b8f411acb689ccd6f39ddd21e6055a3ee480415315994760adf

21b580d8587db675fa02f79167413044e25309cccdb647174d5b3d0dd9141"

Decryptionkey = "8b6697227cbca902b1a0925d40faa00bda-f2df4359d2099"

Validation = "sha1"/>

[Download]

To test this site, you can use the User Name:AdminPassword:123456 &To log on.

This attachment contains a VS 2005 project, which contains two sites: aspalliance1 and aspalliance2.

To install this instance, you need to create two IIS virtual directories named aspalliance1 and aspalliance2, and point the address to the corresponding folder. You can also open the site through Visual Studio 2005.

It is troublesome for a user to log on to multiple sites. Therefore, it would be great if you only log on once. To achieve this, you only need to add the <machinekey> configuration with the same value to your "Web. config" file. For security considerations, I suggest you encrypt this configuration section. This encryption method is overwritten in the sectioninformation class through the protectsection () method.

At the end of the article, I will attach a comment from the blog Hall Xia Baoyu: Supplement to the article Understanding single sign-on in ASP. NET 2.0.

From: http://www.cnblogs.com/hl13571/archive/2008/01/28/1056671.html