views:

309

answers:

1

Our application is built in VB6 and delivered in a SaaS model via Citrix.

Our subscribers must first authenticate to the Citrix Login Portal (AD) which gives them access to their applications. Each application has its own local user repository so except for where we've implemented some single sign on strategies, the user must enter a second layer of credentials.

Now, consider that we intend to replace the Citrix Portal with a Sharepoint Service Portal that will allow us to publish .net content while maintaining a Citrix Web for the legacy applications.

We are developing a Silverlight Application (using RIA Services) that will connect to a SQL Database (where user login and security permissions are contained). We first stubbed out the application using Forms Authetication, however, that lead to a debate regarding our intended deployment model.

To utilize this application, you must have first authenitcated into the Sharepoint site using your windows credentials, so this leads to the argument that the application must be configured for Windows authentication. If you try to deep link into the application without authenticating to the portal, you must be redirected to the portal login page.

What is the best approach for implementing the second layer of authentication into the application? Is there a means to keep using forms based but prevent access to the application if the user didn't first authenticate to the portal?

A: 

Maybe you should rely exclusively on forms authentication and to drop windows authentication. This can be better to maintain your customer information without creating a new windows account everytime, nor dealing with lost password, expired accounts, etc.

So, new users will be redirected to forms login page and, once logged in, redirected to your silverlight application, which will use same user authenticated context, and therefore will be able to interact with your database.

Bottom line: WSS using forms auth over an ASP.NET membership provider would be my personal choice based on your scenario.

Rubens Farias
This is just one application module hosted within a suite of applications and services that our subscribers pay for. While dropping AD would save us money long term, we still need to maintain a central login store for other products that might be upgraded in the years to come (ie. The Citrix Applications) and we still need a mechanism for controlling our user subscriptions globally across all the modules in the suite.
kmacmahon
Forms authentication doesn't mean it needs to be through a `<form>` AND membership provider; you can ask for user credentials and validate them against your Active Directory;
Rubens Farias

related questions