views:

160

answers:

3

Hi,

Right now, I have all the employees of my company login to an external website using the company id, username and a password. We are trying to integrate it into an intranet portal which should provide seamless access to this website without requiring the user to enter these credentials.

Is there any way of doing this programmatically (.NET C#)? Very similar to screenscraping, Can I simulate the appropriate POST action and then redirect the user to the logged in page?

Any help is appreciated.

Thanks.


A: 

You can certainly post to the external website, the tricky bit will come when you redirect the user there, because there'll be cookies restrictions I think.

You might be able to do something with Javascript that makes the Client browser post directly to the third party with the correct credentials, look into jQuery's Post command.

Assuming that the external website maintains sessions with cookies in some way, the problem is, your company website can't set a cookie, except from it's own domain, and the 3rd party website can't read cookies except from it's own domain, so you can't transfer or pass the cookie across to your users.

Andrew M
A: 

You can make a <form> in your page that mirrors the external site's login form with the same action= attribute, then fill put and submit it using Javascript.

Note that this requires that you send the user's password to the browser, which is never a good idea.

SLaks
I tried the javascript route, but it takes me to the login URL. Am I missing something? or is it the fact that it is HTTPS?<form id="testForm" method="post" action="https://targetURL"><input type="hidden" name="txtCompanyCode" id="txtCompanyCode" value="TestCompanyCode" /><input type="hidden" name="txtUsername" id="txtUsername" value="TestUsername" /><input type="hidden" name="txtPassword" id="txtPassword" value="TestPwd" /> </form><script language="javascript"> document.onload = init();function init(){var aForm = document.getElementById( "testForm" );aForm.submit();}</script>
Santhosh
@Santosh: Compare your request to a real logon using Fiddler and see what's different.
SLaks
Thanks SLaks. I'm downloading Fiddler now..
Santhosh
Thanks everyone for your comments. I was able to simulate the POST request and get the job done. But I have a few other questions for which I'll probably create a new post :).Thanks again.
Santhosh
A: 

The name for this technique is "Single Sign-On". There's no one way to do it, but the emerging standard is called "SAML". This requires participation on both parts (the originator and target website), so it's probably beyond your current purview.

Like the other two answers have mentioned here, you can post a formatted request directly to the action of the login script, but I can tell you from experience that that solution will be brittle, that is, it will shatter the second the target website makes any changes.

Your best bet is to contact the administrator of the target website and ask if they have an SSO (Single Sign On) solution.

Chris B. Behrens
I did contact the administrator about SSO, but the answer was NO. Hence I had to look for other ways to "simulate" SSO. Thanks for all your replies. I'll try the solution with the formatted request and see how it goes. Something tells me this will NOT be a solution :)
Santhosh
Hmmm...well, that's a pain. If you're locked into this kind of a solution, I think the best you can do is put a layer of abstraction in between your sign on and their code...The things most likely to change are the following:Sign on URLName of the HTML Input for usernameName of the HTML Input for passwordIf you make all three of those configurable, you will be able to rapidly respond when they change them. I would also communicate with the website and let them know that you're doing it...at best, they might give you a heads up when they plan to make those changes.
Chris B. Behrens