Definitive dot.net Single Sign-On Solution - Develop, Steal, or Buy?

Question

The problem: We have several dozen one off applications in our environment scattered across a dozen servers. Some apps are secured with one-off form/db based logins. Some apps have permissions defined in web.config. Some apps have folder level NTFS permissions set (some with domain user accounts, some with local user accounts for external users). Needless to say, this is an absolute mess.

An SSO solution is definitely in order, but should I build one, leverage an existing FOSS one, or buy one (and if so, which ones?)

I need to be able to

• authenticate once via form login and naturally the login token would carry from server to server
• mix-and-match domain accounts (preferred) and create db table accounts for external users
• have centralized role/permission management
• in situations where users authenticate with an AD/domain account, use this same account to allow whatever application they're using to connect to a database via integrated authentication
• a portal would be nice

If someone would provide some direction I'd be much obliged.

Answer 1

I'll first say.. Don't steal it!!

I'm sure you'll get more complete answers, but in short, it looks like you'll better off in the long run by just developing this yourself. You're supporting a messy product in such a way that no existing product (to my knowledge) would ever really intend to handle.

This way, you'll be able to develop the system progressively into something better and stronger. Add a new application? Design it to do things right this time around. I don't see a much better option/existing product for accomplishing this.

Answer 2

ISA Server 2006 might be what you're looking for. (roughly.).
See: http://www.microsoft.com/forefront/edgesecurity/isaserver/en/us/default.aspx

This can support forms based authentication, as well as SSO against active directory.

It will require some standardization to your existing systems, however I would prefer this route, to writing your own.

Relating to the critieria:

• ISA Server 2006 can do this.
• I'm not entirely sure what you mean by the first part of this, however you mentioned AD use later, I would suggest you consolidate all security into Active directory, including external users, and permissions, and use that as your primary tool for managing them.
• See point above.
• This is fine, you just need to configure your IIS/web.config's accordingly.
• Not sure if you want to create a portal, or if you want the tool to use a portal as it's UI?

Answer 3

NoCarrier, I'm assuming you're using the .NET platform?

If so, may I suggest you role your own. Write an assembly, which wraps the various authentication requirements; exposing them under common abstractions. IPrincipal is pretty common, or (the arguably busy) AuthenticablePrincipal ABC maybe a good fit?

From experience I'd recommend you try and migrate your permissions infrastructure to a common technology. AD is probably best if you already have it. If so read on:

For AD integration check out System.DirectoryServices.AccountManagement.PrincipalContext

ValidateCredentials would be particularly useful for you here I suspect. From PrincipalContext you can instantiate UserPrincipal, which includes permissions requests and I assume (hopefully) meet many of your requirements for building out a custom portal.