Search code examples
asp.netcookiessingle-sign-onowinform-authentication

Form Authentication vs OWIN UseCookieAuthentication and subdomain SSO

Is the "traditional" form authentication and owin middleware(with UseCookieAuthentication) are perfectly interchangeable?

I'd like to make a simple subdomain sso (like many examples suggest) Sharing authentication between parent and child web applications

my parent application is an old asp.net webform application with form authentication configured in web.config

<system.web>
    <authentication mode="Forms">
      <forms loginUrl="~/Account/Login" timeout="2880" name=".ASPXAUTH" protection="Validation" domain="localhost" />
   </authentication>
   <machineKey validationKey="E0230924313583BE9D071B5826165A7C6198A1697AE2F549535F0744FFDC414638882DDC507C7B097EAD5B4FB67819D9520D0A9D05B2D38EAB4AF0B36DAAA39F" decryptionKey="D29E22658319B16CAE17C9CD0269AB15DEAF9068FB6D459C" validation="SHA1" decryption="AES"></machineKey>
</system.web>

and a child application (in a subdomain) that is an asp.net Mvc5 (with owin UseCookieAuthentication)so the security is configured in Startup.cs and not in the web.config

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                CookieName = ".ASPXAUTH",
                CookieDomain "localhost"
                Provider = new CookieAuthenticationProvider { OnApplyRedirect = ApplyRedirect }
            });

private static void ApplyRedirect(CookieApplyRedirectContext context)
        {
            Uri absoluteUri;
            if (Uri.TryCreate(context.RedirectUri, UriKind.Absolute, out absoluteUri))
            {
                var path = PathString.FromUriComponent(absoluteUri);
                if (path == context.OwinContext.Request.PathBase + context.Options.LoginPath)
                    context.RedirectUri = "http://localhost/subSiteAuthenticationTest/Account/Login" +
                        new QueryString(
                            context.Options.ReturnUrlParameter,
                            context.Request.Uri.AbsoluteUri);
            }

            context.Response.Redirect(context.RedirectUri);
        }

in the child application web.config i configured only the same machine key to the parent application

<system.web>
    <authentication mode="None">
    <machineKey validationKey="E0230924313583BE9D071B5826165A7C6198A1697AE2F549535F0744FFDC414638882DDC507C7B097EAD5B4FB67819D9520D0A9D05B2D38EAB4AF0B36DAAA39F" decryptionKey="D29E22658319B16CAE17C9CD0269AB15DEAF9068FB6D459C" validation="SHA1" decryption="AES"></machineKey>
</system.web>

the parent's login page is used for both application (in order to use an absolute path for the login page in the chil application i implemented "OnApplyRedirect" as this post says: Login page on different domain)

but this doesn't work, did i miss somthing?

Solution

  • Is the "traditional" form authentication and owin middleware(with UseCookieAuthentication) are perfectly interchangeable?

    Unfortunately, no, they're not interchangable.

    You can, however, provide a custom TicketDataFormat in the CookieAuthenticationOptions.

    Here's an example.

    SSO for ASP.NET MVC4 and MVC5 web apps shared the same domain