ASP.NET 2.0: Implementing Single Sign On (SSO) with Membership API

來源:互聯網
上載者:User
The membership API is awesome. No doubt about that. But I wish it had a more obvious in-built support for SSO. The only authenticate method takes in a username and password, there is no support for a token based system. Also, if you did add another method to verify against a ticketing authority - the membership API simply ignores it.

So the question is, How to do SSO using the Membership API - custom provider or otherwise.

Now ASP.NET has 3 kinds of authentication -

Passport - nobody uses it anymore, and that is SSO by definition anyway.
Windows - SSO is like a moot point here.
Forms - This is where the problem begins. So thats all I'm gonna discuss here.

Well, single sign on is almost always implemented using a central ticketing authority. The idea being similar to the concept of visiting a bar. You get a "token" stamped on the back of your hand as you walk into the bar, and then everywhere in the bar, you are recognized as "over 21".

Similarly, in a ticketing based SSO implementation, a central ticketing authority issues you a "ticket" at logon. Then you can integrate with any other system by passing the "ticket", rather than your authentication credentials. Then as long as the protected system can verify the "ticket" as being valid, you're in. Else, you're out.

Anyway, so the first thing you need to do is setup a ticket verification webservice. The idea being, anytime you successfully authenticate, you will be issued a ticket, which will ideally be a GUID, stored as cookie that expires when the user hits the CROSS button on his browser. Then you can circumvent the membership API's "Authenticate" method, by instead verifying the ticket - IF one is present.

So lets assume that the ticket is being passed as a querystring called "ssoToken". Obviously, if someone else sniffed your ticketID, then he could masquerade as you - so this approach requires some kind of encryption.

So in the Page_Load for your login.aspx page, write the following code -

protected void Page_Load(object sender, EventArgs e)

{

    string unescapedtokenID = Uri.UnescapeDataString(Request.QueryString["ReturnURL"]);

    string tokenID = ParseURL(unescapedtokenID);

 

 

    if (IsTokenValid(tokenID))

    {

        FormsAuthentication.SetAuthCookie(GetUserName(tokenID), false);

        Response.Redirect(unescapedtokenID);

    }

}

 

Basically "tokenID" is the token that was passed in as QueryString (or any other means), and IsTokenValid queries the ticketing web service to check the validity of the ticket. The ParseURL method is simply some magic to seperate out querystring peices out of the URL contained in the "ReturnURL" query string. If you're interested, the code for that looks like as below -

    private string ParseURL(string unescapedTokenID)

    {

        UriBuilder bldr = new UriBuilder("http://dummyurl" + unescapedTokenID);

        QueryStringParser coll = new QueryStringParser(bldr.Query);

        return coll["ssoToken"];

    }

 

The QueryStringParser class looks like this -

internal class QueryStringParser : System.Collections.Specialized.NameValueCollection

{

    internal QueryStringParser(string s)

    {

        if (s.Length != 0) s = s.Substring(1);

        int num1 = (s != null) ? s.Length : 0;

        for (int num2 = 0; num2 < num1; num2++)

        {

            int num3 = num2;

            int num4 = -1;

            while (num2 < num1)

            {

                char ch1 = s[num2];

                if (ch1 == '=')

                {

                    if (num4 < 0)

                    {

                        num4 = num2;

                    }

                }

                else if (ch1 == '&')

                {

                    break;

                }

                num2++;

            }

            string text1 = null;

            string text2 = null;

            if (num4 >= 0)

            {

                text1 = s.Substring(num3, num4 - num3);

                text2 = s.Substring(num4 + 1, (num2 - num4) - 1);

            }

            else

            {

                text2 = s.Substring(num3, num2 - num3);

            }

           

            base.Add(HttpUtility.UrlDecode(text1, Encoding.ASCII), HttpUtility.UrlDecode(text2, Encoding.ASCII));

 

            if ((num2 == (num1 - 1)) && (s[num2] == '&'))

            {

                base.Add(null, string.Empty);

            }

        }

    }

}

Thats it !! Put all these together, and you have at your hands SSO using Membership API.

相關文章

聯繫我們

該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.