Introduction
The article provides a means to achieve Single Sign On capability in an intranet environment. It does so with the help of a .NET web application. This SSO facility can be extended to .NET/Java/PHP web applications
Background
In my organization, I was assigned the task of implementing SSO feature for all the web applications. The applications are not necessarily hosted under the intranet domain. The programming language varies from .NET to Java to PHP and the server varies from IIS to Tomcat to IBM WebSphere. My organization is a Windows driven one where all users use Windows XP / 7 / 8 operating system. I found out that achieving SSO capability in a .NET application is quite simple.
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
string username = wp.Identity.Name;
Will provide the logged in username, provided
- the user is logged into the domain.
- the user is using IE, Chrome.
If either of these conditions is unsatisfied, a pop up window will appear which asks the user to login with domain credentials. So .NET was done.
Now for Java applications, Google told me to use SPENGO/JOSSO. But I found it very difficult to implement. And I had no idea how to use PHP applications.
So I thought, "Why not extend the capabilities .NET single sign on to other programming languages via the use of HTTP query string?"
There are three parts in the .NET application :
- Code to get the logged in username
- Code that accepts a querystring which contains the URL of the web application that has called this SSO .net application
- Code that redirects to the URL which we get in the querystring
Using the Code
The First thing to do is to create a .net web application which gets the logged in username.
WindowsPrincipal wp = new WindowsPrincipal(WindowsIdentity.GetCurrent());
string username = wp.Identity.Name;
This gives the username as "domainname\\username". Extract the username
string[] extractName = username.Split('\\');
username = extractName[1];
Second part is to accept a HTTP query string
string url = Request.QueryString["url"];
Third part is to call this url and pass the user name via HTTP query string
Response.Redirect(url + "?username=" + username);
An example:
The user clicks on URL : http://xxx.xxx.xx.xxx/SSO/GetUserName.aspx?url=http://xxx.xxx.xx.xxx/TestSite/Login.aspx
http://xxx.xxx.xx.xxx/SSO/GetUserName.aspx is the .NET SSO provider URL
http://xxx.xxx.xx.xxx/TestSite/Login.aspx is the URL that the user actually wants to access.
http://xxx.xxx.xx.xxx/SSO/GetUserName.aspx gets the logged in username and redirects the user to
http://xxx.xxx.xx.xxx/TestSite/Login.aspx?username=loggeduser
http://xxx.xxx.xx.xxx/TestSite/Login.aspx must have a code to process HTTP query string "username" and redirect the user to next valid page.
The server where this .NET SSO application is hosted should be connected to domain. Keep in mind the following points in setting up IIS as well:
- Anonymous Authentication must be disabled
- ASP.NET impersonation and Windows Authentication must be enabled
Points of Interest
If you want secure the username while passing from a .NET SSO application you may encrypt it. And call a decryption function in the client web application to get the original username.