tags:

views:

613

answers:

6
+1  Q: 

Web Application - User Authentication Across Domains

A client of ours has approached us to develop an application, and as usual the scope grows day by day.

Initially it started as a dedicated app confined within their corporate network. User Authentication was established by aquiring the user's Windows login and using a SQLServer Database to host the access rights. All quite straight forward.

They now want the following:
- Application to be Web Based
- Application to be hosted outside of the corporate network
- User authentication to work in the same way (no using passwords, just windows logins)

To complicate it further, they want the various functions of the application to to be usable by another application which just fires of HTTP requests.
- User logs in to corporate network
- User launches corporate application
- User processes customer details
- User clicks a button
- Corporate Application fires a HTTP request to our hosted web app
- HTTP request included necessary authentication and customer details
- User authentication is completed 'automatically' (No human involvement)
- Customer data is transmitted securely

They are very keen for us to do this for them as our initial approach was very much what they wanted. They still want us to do this even though such hosted web apps are not our speciallity. So I now approach the experts;
- Does anyone have any advice on how to approach this?
- Does anyone have any warning about the possible pitfalls to avoid?

A: 

I'd use a private OpenID provider/server for this.

thr  2009-03-02 11:45:28
Sorry I can't give a more fleshed out answer right now, but lunch is over and it's back to VS.NET for me.
thr  2009-03-02 11:46:02
A: 

Maybe WCF Communciation with Certificate based Authentication i.e. to external users who use the service the company provides them with a valid certificate. This would then not require a username password but take the user straight through.

REA_ANDREW  2009-03-02 11:48:52
A: 

Did you already have a look at SAML?

innaM  2009-03-02 11:49:23
A: 

Check out Windows CardSpace since it does integrate with your windows login and allows for the SSO scenario they require.

Tobias Hertkorn  2009-03-02 11:52:25
+2  A: 

Basically they're talking about federated access. You would host an authentication point inside their network which in turn forwards a token to your application which parses it and allows (or stops access). This is pretty standard, and MS provide a good base for this in the Geneva Framework. This will also work for web service calls providing they can change their application to use WSFed as a protocol and talk to a security token service which silently issues the authentication token. In most cases you'll be using SAML for this. It also has the added bonus of authentication details never going outside of their corporate network.

The suggestion of Certificate Based authentication is an interesting one, but requires more work in rolling out a PKI infrastructure. This can be costly.

CardSpace won't work - it's not silent as they seem to want. OpenID is a non starter as well, it's not silent either.

Extra points if you're looking at Azure - the authentication bits of Azure also use SAML/WSFed under the hood, and has bits of Geneva in it. So if you moved to the cloud then each of your customers would just have to configure a login page within their network - all you would have to do is trust that page to issue authentication tokens to you and parse them according to your rules.

blowdart  2009-03-02 11:55:24
A: 

Depending on how your app is constructed, you can fiddle with the machineKey in your web.config to allow for AJAX calls with single-sign-on (SSO). This would involve an small asp.net app within the corporate network just to dish out authentication tokens and redirect to your hosted app.

If the two apps share the same machineKey then the asp.net authentication system will happily allow users into your hosted app.

There are problems with this approach:

  • You introduce another dependency into your system (the authentication app within the corporate network.) It'll be a simple app, but you will face problems when trying to diagnose problems if you don't have access.
  • You need your hosted service to the in the same domain as the authentication app (so the authentication ticket in the HTTP cookie gets passed around.)
  • You'll also need an SSL certificate for your hosted service to secure the information. (Not really a downside per-se, you'd probably want to do this anyway.)
  • Because you and your client will have a shared machineKey, you will tie down an instance of your app to that particular client.
ninj  2009-03-02 13:11:01

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps