How can I implement single sign on across domains? I have two or more domains and I want all of them to authenticate through one server using SqlMembershipProvider (ASP.NET 2.0 membership database) I have domain foo.com which hosts the asp.net membership database and another domain bar.com which wants to authenticate through foo.com. I found a lot of article over the internet for different application but in the same domain but different domains i didn’t found a full article describes the cycle, I saw some using FormsAuthenticationTicket class or FormsAuthentication class. I know machineKey in web.config should be the same. I thought it’s easy by letting foo.com once he is authenticated just duplicate the authentication cookie and change the cookie’s domain from foo.com to bar.com but i figured out that i can’t control others domain cookies! So is there any way to make it works?
Thank you and regards, Ahmed
It’s not an easy question, but I can give you a few hints.
In order to work with the ASP.NET web.config settings that allow anonymous access or require a user to be signed in, you need to create a module that hooks HttpApplication.EndRequest, and checks for HTTP error 401 (this means authentication is needed).
Reset the error code and redirect to your single sign-on site. Here you can sign on as usual.
The hardest part now starts: you need to transmit the user credentials over the wire to the other server in a secure way. You can do this with symmetric encryption and a shared secret, or by exchanging a secret over asymmetric encryption.
The HttpModule on the other side now picks up the redirect back from the login site, checks that the login ticket is valid, and replaces HttpContext.User (be sure to encapsulate the existing user, if there is one, so you can route the IsInRole call to that IPrincipal).