Multisite login with a single "passport"
I have 3 ASP.NET MVC websites running with Entity Framework on SQL-Server. Each site runs as an independent app with independent databases. I want to enable business clients to create "Passports" aka tokens that allow them to login into one site while simultaneously logging them into other sites. In order to log into a site, the passport must have a valid"Visa" issued via the Passport system, Passports can be administrated with a Passport Site Manager, which can be used by administrators to access user account information from websites A,B, and C and do admin stuff. In a sense, a Passport can be thought of as having one-to-one correspondence with people's real identity.
Here are my questions, how do I pass a user login attempt from site A to check it with the passport database, and return the result to Website A? How do I keep this communication hidden? In other words, so that only the Website apps A,B,C can check a login attempt with the passport database? Should there be another app that provides that interface? Would it be an ASP.NET Web API?
The second part of my question, once a user logs into site A, they should not have to retype their credentials to get into sites B and C. Instead, upon logging into site A they create sessions with sites B and C, or generate a key that can authorize sessions with sites B and C. What would this process look like?
I'm not looking for a complete solution, but If you can point me towards an example, towards the documentation for the technologies/libraries/objects I would find useful.
What you are looking for is available in Windows Identity Foundation. Look through the developer kit on the site and what you want is fairly easily accomplished.
Your "Passport Site" is referred to as a Security Token Service(STS). Website A,B and C are called Relying Parties (RP). Considering a simple case where you implement your STS using ADFS 2.0 (all your users are maintained in Active Directory). Windows Identity Foundation (WIF) has ASP.NET authentication modules that can work out of the box with ADFS 2.0 over SAML. The STS represents user information in form of "Claims" and creates a X509 signed token with all the claims and provides that as a cookie to the user. RPs can read the token, verify the signature and use the claims for their authentication and authorization purposes.
A sample flow is explained below:
a. User visit's Website A for first time
- WIF module checks cookies for a valid token. Since user has not logged in, there is no token.
- WIF does a HTTP redirect of the user's browser to the STS site using a special URL that conveys who the intentions (login/logout, RP name, etc.).
- STS site checks for the token and since it is not present, displays the login page.
- User Logs in and is given a token with the user's claims. There is also a second token specific to the RP's name given (this indicates login for the RP). STS redirects back to the requesting RP.
- WIF module on Website A now recognizes the token and uses it for AuthN and AuthZ.
b. Consider now that the user visits Website B.
- WIF module checks for a valid token. Since it is not present there is no token.
- WIF does a HTTP redirect to the STS again with different paramters (RP changed)
- STS checks for login token. Since User has already logged in, it is present.
- STS creates a token for the Website B and redirects back to Website B.
- Website B WIF module recognizes the token and uses it for AuthN and AuthZ
User did not have to log in again with his user name and password.
The complexity of this system is handling individual site log outs and communicating log out of a user across multiple RPs. There is also a need for maintaining the correct SSL certificates as the whole system relies on it.
Some cases also have an "Active" scenario (the one I described was "Passive" with the browser doing all the running around) where programmer has to code the redirects.
- Why does 1.0/100.0 == 0.1/10.0 give True?
- How to organize the receive msg and user current input in C network such that it's clean
- Using inclusive scan syntax in OpenMP in the C language
- Unable to understand context in book "OOP in C" by Axel Schreiner
- How to dereference member from struct in which the definition is hid from user?
- variable-length array in struct with TI compiler in C (socket programming)
- A faster way to test 32bpp DDBs for a valid Alpha channel
- How can I compile the zephyr example-application as a freestanding application?
- Why does my forked process sometimes overwrite data in a file?
- Why in C can I initialize more values than the size of an array?
- _Generic in C needs typecasting?
- Declaring/defining an unused variable changes the output from an unrelated variable
- How to use gdb to explore the stack/heap?
- How can I read an input string of unknown length?
- Confused by difference between expression inside if and expression outside if
- Fast Arc Cos algorithm?
- Discrepancy of `unsigned long` size between llvm and gcc in riscv32
- GCC (C) - error: 'x' redeclared as different kind of symbol
- Why does GCC’s static analyser falsely warn that a pointer to an allocated memory block itself stored in an allocated memory block may leak?
- c language gcc compiler *.i file #3 "" 2 what is this?
- How to make clang compile to llvm IR
- Hashtable implementation in C
- EFI variables or config file on the EFI partition for EFI application?
- Pack high bit of every byte in ARM, for 64 bytes like AVX512 vpmovb2m?
- Calling an external C function (in a shared lib) from Perl with Inline::C does not work
- Can a C program detect if its own source code has been modified?
- Is this declaration UB?
- Eclipse C/C++ how to find variable belongs to which struct quickly
- Is this truly best way to delete last element in C?
- flint/arb.h: No such file or directory