Reputation: 771
Single sign on to remote Forms Authenticated site
We have an external facing Forms authenticated site.
A new client has requested that they don't want their users to have to maintain (remember) and enter credentials to our site, and that they should just be able to log-on seamlessly using their Windows network credentials.
Last time I checked, this was just not possible, but I wondered if anyone had had a similar requirement and how they achieved it.
Should we be investigating using a SSO provider?
Upvotes: 0
Views: 340
Answers (2)
Reputation: 48230
Sounds like your client should deploy ADFS2.0 in their infrastructure. ADFS is an identity provider that exposes Active Directory identities for feredated applications.
Then, in your application, you just implement the WS-federation authentication with the remote adfs. Technically, you have two different flows then:
- some of your users log in with their usernames/passwords
- other users clicka button on the login page "log in with remote adfs" that initiates the remote authentication - it redirects to the remote adfs where users provide username/password and then a SAML token carrying claims comes back to your application. Claims can describe the username, their email, userid, roles (groups) or any other Active Directory attributes
Since ADFS2 is a freely downloadable component for Windows Server, you should have no major issues in deploying it.
This free ebook should be handy
http://msdn.microsoft.com/en-us/library/ff423674.aspx
Upvotes: 0
Reputation: 4255
The right way to accomplish this is to adopt SAML 2.0 to handle the exchange of the user identity info between your application and your customer's Windows network creds (stored in Active Directory). Adopting SAML as an authentication option gives you the most security/flexibility and allows your customer's to implement whatever type of authentication they want on their end. SAML ends up being the standards-based method in which you can securely exchange identity info with your customers.
At a VERY high level, your customer would implement a SAML 2.0 Identity Provider that allows them to leverage their existing Windows credentials (there are lots of 3rd Party Apps that would allows them to easily do this. Check out pingone.com as one example [Note: I work for Ping Identity]). Once the user is securely authenticated, a digitally signed SAML Response is generated by the IDP (that contains the user's identity) and sent via the browser to your application. You application would validate the Response and then either grant the user access to your application or not.
Some pointers to help you understand the flow better -
- http://documentation.pingidentity.com/display/PF70/IdP-Initiated+SSO--POST#IdP-InitiatedSSO--POST-1056251
- http://en.wikipedia.org/wiki/SAML#The_SAML_Use_Case
Ping Identity also has a service that will allow you to quickly implement the SAML 2.0 Service Provider requirements via a simple RESTful API (https://www.pingone.com/#developer).
HTH - Ian
Upvotes: 1
Related Questions
- Single Sign On with Forms Authentication
- Remote authentication and local authorization in MVC5
- Forms Authentication Shared Across Websites
- Single sign on inside asp.net mvc web application
- Implementing single-sign on in ASP.Net Webforms and MVC
- Dot net MVC secure Forms Authentication
- Using Forms authentication with remote auth system?
- ASP.Net MVC Single-Sign On
- ASP.Net Cross-Site Authentication
- single sign on in asp.net