I would like to implement a lightweight registration less system for my asp.net page and need some direction to go
Basically I am currently at the point where I need session elements based on the user’s username. But, since authentification is done using an other system, I would simply like to create session per username based on the success or failure of that other authentification system.
So, if authentification is succesfull using the information entered in the login page, simply create a new user in the system or something using the username provided (without, if possible, saving the password used).
I got a vanilla login page at the moment and would like some direction as to how to proceed while using as much of the vanilla infrastructure as possible.
Thanks you all 🙂
What your talking about is claims-based authentication. You trust a third-party service to have authenticated the user and trust that the information that the service tells you about that user is correct.
See what options you have for the service to pass you those details. You can use full-on SAML-based claims and Windows Identity Foundation may take on pretty much all of the work for you. If the third-party application is acting as a proxy, you could have it inject a HTTP header with the user name in. Or you could have a form, but someone or something is going to have to enter the data and post that form (you can do it automatically from Javascript when the site is launched).
If you want to use a form, it could be a modified Forms-based logon screen that doesn’t check the password, just creates the Forms Authentication cookie.
If you want to use a more ‘bespoke’ scheme, you could create a custom security principal implementing IPrincipal, you can transparently inject this into your application and have it behave just like it would if you were doing ‘proper’ authentication.
Either way, don’t try to mess with the way that ASP.NET security operates, just concentrate on the best way to get the information to ASP.NET via the security principal.