single sign on across many domain without cookies
https://stackoverflow.com/questions/5013716
-
14-11-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
im using visual studio 2008.
my requirement is to implement single sign on across many domains without using cookies. is this possible?
for example, i have 3 domains (hosted in 3 different systems). www.domain1.com www.domain2.com www.domain3.com
and cookies are disabled.
i implemented single sign on with cookies, if the sites are hosted in single system then it is working. but it doesnt work if cookies are disabled.
i tried all made all possible google searches, but couldnt find anything useful. please help ?
Solution
I believe Microsoft have a trick to their single sign in that might work for this. I am assuming rather than cookies you would set a session variable so the theory is (from memory) something like:
1 - You designate one domain as the point of authentication i.e. no matter where you sign in you make sure www.domain1.com has a session variable set to say that the user has been authenticated (I guess ideally you could just put the sign in page on this domain, but if not you could work around this by using http requests to setup initial sign in auth on domain1).
2 - Then the trick is to have a common header in all you other domain (1,2,3,4) pages that first does a check to see whether a session variable is set on the respective domain and if not does a redirect to domain1, determines if the user is logged in - if so get the login details - redirect back to the domain you came from (passing the login details) and then setting up the login variable once you arrive back on the domain you started from.
We have a cross-domain authentication on a system that I work with - it is done with cookies and is a nightmare to work with - we looked at possible options for re-designing this and this is from memory the solution that seemed to be most common - mind you it was still cookie based I think but it should work with sessions too.
OTHER TIPS
You ought to look at Windows Identity Foundation and Active Directory Federation Services in this era. It is based on the Identity Metasystem and Claims-based Identity model; making these types of identity/authentication and SSO scenarios easier.
A Guide to Claims–based Identity and Access Control
In your case, all three of your sites will "outsource" authentication services to a trusted Security Token Service (STS). This STS can be ADFS if you are expose AD domain identities to the Internet, otherwise a custom WIF implementation. Your web sites redirect unauthenticated visitors to your STS, which hands them security tokens (usually in the form of SAML) which the web sites can accept as identity claims.
