tags:

views:

46

answers:

2
+1  Q: 

Single Sign on from Multipe Domains...

Hello,

I have one domain such as http://www.mydomain.com and I have multple domains pointing to the same location in IIS by defining host headers, such as http://www.myONEdomain.com, http://www.myTWODomain.com, etc.

In the code I use Request.Url.Host to determine which url the user came from and then I act differently in each page based on the domain.

HOWEVER, if the user logs in at www.mydomain.com, they also need access to myONEdomain, myTWOdomain, etc.

Does anyone know how I can acheive this in .net authentication?

Obvisously, the login from the first domain works correctly, but as soon as the user clicks on a link that redirects them to a different domain, there is some functions that they are unable to do because the IsAuthenticated method returns false.

I hope I explained the situation well and that it makes sense, if not please ask.

Thanks in advance!!

A: 

The first thing that comes to my mind is to make a cross-domain cookie.

Tony Abrams  2010-10-12 20:26:59
+2  A: 

Ironically I came across a rather extensive document of this just yesterday. I personally use a behind the scene API to pass a session from the main login gateway to sister sites, but this explains the process in great detail:

http://www.codeproject.com/KB/aspnet/CrossDomainSSOExample.aspx

Anthony Greco  2010-10-12 20:35:55
Very interesting article... but I think my case may be slightly different. I have multiple domains, but they all point to the same directory in IIS. Essentially it is all one domain... in my search I came across this: http://forums.asp.net/p/1023838/1390821.aspx Seems like I should be able to append the cookie with my additional sites. Any thoughts?
Tony  2010-10-13 11:52:07
Issue is even though it is in the same IIS directory, a cookie is stored by your browser based on domain. Example: You can not set a cookie for www.AOL.com from your site www.blah.com, so when you go from www.blah.com, www.AOL.com has no way to access the cookies from www.Blah.com and vise versa.
Anthony Greco  2010-10-13 18:14:49
This is how I do it... i have 1 main gateway, lets call it Server A, then 4 sites, B, C, D. When you go to Site B, i check the membership class to see if the user is logged in. If so, continue, if not, redirect to server A, attaching an ID to the site (www.servera.com/?redirect=www.siteb.com). Server A has the login form.. On login, if successful, server A generates a session ID and stores to a DB or in memory. It sets a cookie to the user storing them as logged in on ServerA. It then redirects to the query site (www.siteb.com) appending ?key=%SESSION%.
Anthony Greco  2010-10-13 18:18:34
now that we are on SiteB.com, we still see we are not logged in locally, but we do see that the query string 'key' has a session now. In this step, SiteB.com connects to a page on ServerA, passing the key. Server A checks the db to make sure key exists. If so, send back success (or whatever u want... maybe username), if not, send back failed. At this point you either send them to a session expired, reloggin page if failed, or you mark them in the Membership class as now "Online" and continue.
Anthony Greco  2010-10-13 18:20:28
Now assume you go to SiteC.com after already online for SiteB.com. SiteC.com is not yet logged in so it sends them to ServerA.com, which see's based on cookies "Hey this guy is already logged in, don't so the login form. Lets just create a new session just like before and auto redirect to SiteC.com with the new session.
Anthony Greco  2010-10-13 18:21:49
It's a bit confusing to explain here but thats the over all jist. You have 1 main gateway that does the login, then just create a API in coding that verifies with this gateway if they are connected. Each site you go to will have to verify with this gateway once in order to verify there online. This works if there in the same directory on IIS, or totally different servers. Each will need to store it's own cookie since thats how browser works, so each need to go through the process
Anthony Greco  2010-10-13 18:23:41
Yes, understood, and your approach will work for me, I have thought of that and I will most likely go that route for lack of anything better, HOWEVER, i have read alot about using the same machinekey and sharing the cookie cross domains, even som MS article say it can be done across apps, but it does not work for me. One sample has domain1.com and domain2.com and they claim it works. Since I am at a loss for anything better and your comments were along the lines of what i was going to do, i will accept the answer. But, I would still love to hear more about machineKey and cross domain!
Tony  2010-10-13 19:10:06
Glad i could be of help
Anthony Greco  2010-10-13 21:19:01

related questions

Subsonic Vs NHibernate
How to check For File Lock in C# ?
Is nAnt still supported and suitable for .net 3.5/VS2008?
Limit size of Queue<T> in .NET?
Viewstate invalid when using Safari
Free OCR library
Unhandled Exception Handler in .NET 1.1
Localising date format descriptors
Get a new object instance from a Type in C#
VFP .NET OLEdb provider does not work in Win 64-Bits. Help
.NET Testing Framework Advice
Embedded Database for .net that can run off a network
Automatically update version number
Homegrown consumption of web services
How do you migrate a large app from VB6 to VB .net ?
.NET Migrations Engine
Adding Scripting functionality to .NET applications
SQLite and XSD
Floating Point Number parsing: Is there a Catch All algorithm?
How do I programmatically create a PDF in my .NET application?
How do I sync the SVN revision number with my ASP.NET web site?
XSD DataSets and ignoring foreign keys
Anatomy of a "Memory Leak"
Reliable Timer in a Console Application
How do I calculate relative time?