tags:

views:

958

answers:

3
Q: 

How to authenticate users across domains using ASP.NET and iframes?

I am doing an ASP.NET website for a client, who wants to make their reports page available via IFRAME on other "reseller" websites. The reseller websites are providing the same service with different branding. I need to avoid, where I can, requiring them to implement any code on their webserver to enable this - hence using iframes.

A user would log in to the reseller website, load a page which contains an iframe, which in turn loads the report at the primary site. As parameters, we would send the reseller id, and their username.

We can use SSL server certificates, but not any federated login (like OpenId) - a business choice of the client.

The question is, how does the primary site verify that the report page really is being requested by the user who loaded the page from the reseller? In other words, how to authenticate the user across domains, without requiring the reseller to implement code..

Any thoughts would be much appreciated!

A: 

I might be missing something, but if the client is authenticated against your server, then it will still be authenticated if you view it through an iframe.

For example, create an HTML page on your server with an iframe to gmail. As long as you're authenticated against gmail in your browser you will see your inbox in that page...

Assaf Lavie  2009-06-01 12:17:45
Thanks for the reply. In answer; he is not yet authenticated against the second domain. User logs into domain A, loads page from there containing an iframe, which loads content from domain B. How to authenticate the user on domain B, without implementing (non-HTML) code on the server at A?
Leon van der Walt  2009-06-01 14:28:42
Use the same mechanism the user uses when logging in to your website. e.g. if the user isn't logged in he'll see the login page... (again, like with gmail)
Assaf Lavie  2009-06-01 15:05:13
+3  A: 

Your login form can use some javascript to post the login form to a hidden iframe (you can't use an XMLHTTPRequest because of cross domain security concerns) for each domain that you require a login for.

Be sure to redirect your iframe back to the original domain or you won't be able to fetch the login status out of the iframe due to cross-domain security.

The final trick for IE support is to flip the evil bit and add

P3P: CP="CAO PSA OUR"

to your HTTP response headers. Which tells the browser "I am not going to do anything bad, honest".

http://support.microsoft.com/kb/323752

http://www.w3.org/P3P/

lambacck  2009-06-01 12:35:17
Interesting, thanks, not sure yet if that answers yet, but will look into it.
Leon van der Walt  2009-06-01 14:26:20
Apologies, did not make clear: the reseller site logs the user into their server, and want to avoid a second logon.So, if the reseller tells the primary site "Bob here wants to see a report", the primary can lookup the user Bob, and as long as it can verify the request really came from an authorised reseller, serve the report. Useful answer tho, I give you a point :)
Leon van der Walt  2009-06-01 19:19:58
+1  A: 

I see no satisfactory way to do this without implementing any code on the reseller site.

Instead, I would require them to send an HTTPS request from the reseller webserver to the primary webserver, passing a unique secret key to identify themselves, as well as the username of their logged-on user.

Once verified on the primary site, this key would then serve as authentication for the reseller, and by extention, their logged-on user.

The response of this request would contain a html fragment string, which the reseller can inject into any page.

This fragment would contain an iframe, which, in turn, would load the report for the logged-on user directly from the primary site, using their username. This report content would contain a reference to a reseller-specific stylesheet.

With this approach I would say HTTPS is not required in the browser, since both the reseller and their user is authenticated, and if that process happened over HTTPS, we can assume there is no eavesdropper.

In the case where the secret key or the user password got compromised, HTTPS from the browser would make no difference anyway.

Leon van der Walt  2009-06-03 14:44:19

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps