Reputation: 13
Custom STS for Web SSO
We have an Internet facing Web Application running, and recently our company made some agreements with a 3rd-party company which owns another web site. The idea is to provide access to this external web site to our current customers. Our users will click on an internal link in our solution which will open a new browser window with the third party site. User will not need to authenticate again in the 3rd party company site. We have agreed to issue SAML2 tokens for our users, with a set of claims used by the 3rd-party site to query an present a personalized view to our users
Something important in our scenario is that users are already authenticated in our web site when they decide to access the 3rd-part web site.
What is the best way to implement all this? I am thinking on implementing a custom-STS using the WIF SDK to generated those SAML2 tokens and pass then using HTTP POST (cookie) to the 3rd party site. If this is the right approach, then any pointers, tips? Will ADFS make any difference?
Thanks for any help
Upvotes: 1
Views: 410
Answers (2)
Reputation: 46773
If your application is ASP.NET, then connect your application to ADFS.
So to get to your application, the user has to log in.
Then for the link to the 3rd party application use the IDP Initiated scenario (IdpInitiatedSignOnPage Class Overview). This sends a SAML2 token to the 3rd party application. ADFS will handle SSO for you.
To do this, you will have to configure the 3rd party application as a SAML one rather than a WS-Fed one.
Upvotes: 0
Reputation: 546
Sounds like you'll be playing the role of Identity Provider - responsible for handling the "manual" authentication of the user and generating SAML responses to give the user SSO to the 3rd party website.
Implementing your own IdP is not trivial (there are a handful of specifications to understand), so unless you have your heart set on this as a development project, you may want to consider a COTS like Microsoft ADFS, PortalGuard (for whom I work) or Ping Identity.
Since you asked about ADFS specifically, it has native support for Active Directory as the user repository and has some interesting features with its claims transformation engine (if you get into a complex SP-IdP chaining scenario). Besides SAML it also supports WS-Federation which is important for integration with the other offerings in the Microsoft stack.
Upvotes: 1
Related Questions
- SSO using SAML2.0 in asp.net
- SSO SAML in dot net web application using a Microsoft package
- SAML SSO with WAS v 8.5
- How to generate saml 2.0 sso service metadata
- Creating SAML 2.0 Response with C# and .NET 4.5 in IDP Initiated web SSO
- Implementation SSO using SAML in WCF
- How to integrate STS with third party Single Signe On (SSO) in mvc web application
- Custom STS with Windows Identity Foundation (.NET 4.5)
- Implementing SSO with SAML and JBoss
- SSO Integration Using SAML 2.0