SSO between ASP.NET, ASP and PHP

Question

I'm working on a site which is at the core/ master of a number of sites. We are also responsible for handling the authentication across all the sites under the brand banner.

The client has wanted a single-sign-on operation to be included, so if I was to sign into any of the sites I would be signed into all the sites. We're handling the child site sign-ins by redirecting to the main site (ours) and executing the login.

It was decided that the SSO would operate via embedding image tags into the page and then calling a page on each child site. This would open a client session to their site so they can set cookies/ do what they want to handle a login.

This works for the most part, it's been tested on IE7, FF 2 & 3 and they all work. The problem browser at the moment is Safari (and Chrome). Although the images do appear to load in the client session doesn't seem to be opened, we get no cookies from the child sites set. The problem seems to be WebKit based browsers with Safari and Chrome being the problem (I'd presume that konqueror may suffer the same fate but at the moment I don't have a Linux install at my disposal).

Does anyone know a way to have Safari recognise an embeded image tag to an external host as opening a client context? Or can someone provide a better way to do SSO from ASP.NET to site(s) which are not ASP.NET?

Note: yes I am aware there are problems in the SSO concept we've done thus far in regards to having images disabled. The solution proposed wasn't mine, I'm just stuck with it.

Answer 1

It looks like Safari (on my OS X, at least - which should be default settings) and, I assume Chrome, don't allow 3rd party cookies by default.

Safari->Preferences->Security->Accept Cookies:

o Always
o Never
+ Only From Sites You Navigate To

There's some AJAX hackery to get your document domain to set the cookie, but I don't think that'll really solve your problem here. I think Safari even forbids iframes from setting a 3rd party cookie, unless perhaps you set document.domain (though, if you shared a common domain, you could probably just set the cookie domain and be done with it all).

Short of window.open, or a series of redirects, I can't really think of much you can do to get around the 3rd party cookie problem - so I'd probably scrap the embedded image trick and start from scratch.

Answer 2

Most of the SSO stuff that I have worked with uses a centralized authentication server (CAS) and operates with tickets passed via query parameters and cookies.

The basic idea is that if your site doesn't detect a ticket, it redirects to your CAS web site. The web site performs the authentication, sets an authentication cookie, and redirects back to your site with a unique, one-time-use ticket (as query parameter). When redirected, your site detects the ticket and does a callback to the CAS server to redeem the ticket using an out-of-band web request. This request returns the id of the user who has logged in. You use this to set the authenticated user in your application.

The CAS server keeps track of which applications are allowed SSO with each other. When an authentication request comes in from a site in the SSO pool and the authentication ticket corresponds to another site in the pool, the CAD server responds with a ticket without forcing reauthentication. This way your sites can just link to one another without any special "magic", just depending on the fact that the CAS cookie will make it so the user can bypass reauthentication between related sites.

Answer 3

I am tryng to create a sso for asp.net asp and PHP applicaitons. If you have some code for this type of functionality, please send it to me. Thanks for your help. Anil Madan [email protected]