Home/ Questions/Q 7867101
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-03T00:37:02+00:00

We have an existing ASP.NET application (WebForms) that uses home-grown authentication. We’ve been tasked

  • 0

We have an existing ASP.NET application (WebForms) that uses home-grown authentication. We’ve been tasked with implementing a single sign-on solution and have chosen to use WIF.

We have a single instance of the application running and we identify the client by using a subdomain (e.g. client1.ourapp.com, client2.ourapp.com, etc). In the application code we strip off the first subdomain and that identifies the client.

We’ve been working with a WIF proof-of-concept to figure out how to get the user redirected back to the correct subdomain once they’ve authenticated. The out-of-the-box behavior seems to be that the STS redirects the user to whatever realm is identified in the config file. The following is the PoC config file. I’m using my hosts file to fake different clients (i.e. 127.0.0.1 client1.ourapp.com, 127.0.0.1 client2.ourapp.com).

<federatedAuthentication>
    <wsFederation 
        passiveRedirectEnabled="true" 
        issuer="http://ourapp.com/SSOPOCSite_STS/" 
        realm="http://client1.ourapp.com" 
        requireHttps="false" />
</federatedAuthentication>

Obviously this isn’t going to work because we can’t redirect everyone to the same subdomain.

We think we’ve figured out how to handle this but would like some outside opinions on whether we’re doing it the right way or whether we just got lucky.

We created an event handler for the FAM’s RedirectingToIdentityProvider event. In it we get the company name from the request URL, build a realm string using the company name, set the Realm and HomeRealm of the SignInRequestMessage, then let the FAM do its thing (i.e. redirect us to the STS for authentication).

protected void WSFederationAuthenticationModule_RedirectingToIdentityProvider( object sender, RedirectingToIdentityProviderEventArgs e )
{
    // this method parses the HTTP_HOST and gets the first subdomain
    var companyName = GetCompanyName();
    var realm = GetRealm( companyName );

    e.SignInRequestMessage.Realm = realm;
    e.SignInRequestMessage.HomeRealm = companyName;
}

string GetRealm( string companyName )
{
    return String.Format( "http://{0}.ourapp.com/SSOPOCSite/", companyName );
}

Does this seem like a reasonable solution to the problem?

Are there any problems we might experience as a result?

Is there a better approach?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Your solution sounds good (explicitly passing along the information you need), the only other solution that comes to mind is using Request.UrlReferrer to determine which subdomain the user came from.

    • 0