Reputation: 3665
A simple SSO across domain
Suppose I have 2 website: domain1.com and domain2.com
I implemented sso as following: Once user login successfully with domain1.com, I generate an iframe to make him logined in domain2.com as well.
<iframe width=1 height=1 src="domain2.com/sso-login?username=abc&password=encripted_password" />
On domain2.com, I implement a method sso-login to handle this call, if username & password are valid, I create auth-cookie to return to browser. Therefore, when he open domain2.com in other tab, he will be logined automatically.
The same flow when user login in domain2.com, I generate an iframe to make user logined in domain1.com.
I wonder if there's any security holes or disadvantage points in this implementation? Is there something else I should do to make it more security?
Upvotes: 1
Views: 783
Answers (2)
Reputation: 1038710
Don't send the username and the password. Only send the authentication token:
<iframe width=1 height=1 src="https://domain2.com/sso-login?token=<%= Request.Cookies[FormsAuthentication.FormsCookieName].Value %>" />
and then have both applications share the same machine keys, so that the remote domain could decrypt it and emit a Forms Authentication cookie for this domain. Also make sure that you are only sending the token over HTTPS.
Upvotes: 2
Reputation: 2961
You will run into problems because many modern browsers doesn't allow cookies to be set in a iframe pointing to another domain.
Upvotes: 0
Related Questions
- SSO (Single sign on ) in MVC
- How do you implement client SSO on sitecore cross domain?
- Cross-domain authentication ASP.net MVC
- How to Implement Single Sign On in MVC4
- Advice on SSO solution for cross platform and domain sites
- Options for SSO across multiple websites (different domains)
- Providing SSO support for 3rd party systems in our application without another sign in page
- Single sign on using same application but multiple domains ASP.NET MVC
- SSO across different domains
- ASP.NET MVC multi-site SSO using OpenID