CODEWITHSUNDEEP
.netasp.net
Samuel Jack
Samuel Jack

Reputation: 33280

Enabling single sign-on between Desktop Application and Website

We have a client/server application with a rich client front end (in .Net) and also an administration portal (Asp.Net). Currently users have to sign on in both the rich client and on the website. We'd like to enable them to sign into the rich client, but not have to sign on to the website if they launch it from within the client. How can we do that?

Going the other way is less important, but would be nice if possible: signing on to the website, then not having to sign into the rich client.

Upvotes: 2

Views: 2766

Answers (5)

Muxa
Muxa

Reputation: 5643

A possible solution is:

  • sign-in to the rich client
  • a random token is generated by the server and stored againsed the signed-in user
  • rich client gets that token from the server
  • that token is used in the url pointing to the website
  • going to that url (using a link or a button from the rich client) will auto-login the user and reset the token

Upvotes: 6

andyuk
andyuk

Reputation: 39138

How about OAuth?

An open protocol to allow secure API authorization in a simple and standard method from desktop and web applications.

Upvotes: 2

Andreas Petersson
Andreas Petersson

Reputation: 16518

simple token solutions suffer from a design flaw: you will have some sort of secret that can be reverse-engineered if wanted. this can be avoided entirely if dome correct.

i would propose a challenge-response algorithm.

*) user loggs in to rich client with pw

*) from salt+password a sha256 or similar hash is calculated. (Hash A)

*) user klicks "go to website" link.

*) a http response is started (such as as a webservice), user fetches "get ticket number" for user account. this ticket will be valid for a short time (some minutes)

*) client calculates hash(HashA+ticket) HashB

*) finally - browser is pointed to www.example.org/?username=donkey&key=99754106633f94d350db34d548d6091a

*) server checks if his calculated hash is the same as the one submitted.

advantages of this method:

-server never knows password, only salted hash.

-even the hash is never transmitted through the wire -> no replay attacks.

Upvotes: 2

Luke
Luke

Reputation: 1926

Make sure there is a timeout on the token, say 2-5 minutes, to ensure it is authentic.

Upvotes: 1

Paul van Brenk
Paul van Brenk

Reputation: 7559

You could add a token, to identify them, to the URL which opens the site.

You'll have to add some security to the token: TTL, a hash, a salt

Upvotes: 0

Related Questions