Wednesday, May 2, 2007

Single Sign-On using ASP.NET

For many, this seems to be a highly complex issue. Well, if you stop thinking hi-tech, you can make it simple and secure (to a certain extent).

Introduction and Assumptions:
Since it is fairly easy to implement the same in the intranet, we'll talk more about the extranet implementation. Let call our main application (the portal) as the Master. All our users have access to the Master (with role based security). However, not all have access to the child applications within Master.

Let us assume a user-- Bob. Bob is an accountant for two different departments( A and B) at his work. He will need to log into the departments' websites to pull sensitive reports. Now, our Master application will let Bob in with his own credential settings. Within that application, he'll see the links to websites for departments A & B. When he clicks on either of those, he's directed to the corresponding department's homepage (not the login page) bypassing the login process.

Behind the Scenes:
We need to setup few tables to do this single sign-on which enabled Bob to bypass the login process from the Master application. I'll explain the table layout and thier functionality below.

tbl_App: This table has the list of child applications to be brought into single sign-on
  • AppID
  • AppName
  • AppURL

tbl_AppUsers: This table has the list of users and the Application ID (from the previous table) that they have access to

  • AppID
  • UserID

tbl_AppUserKey: This table stores the AppID, UserID, and a GUID (which acts more like a authentication token for our single sign-on)

  • AppID
  • UserID
  • Key

These are the key tables that you'll need. Assuming this is not for beginners, I will bypass other topics like user roles for different applications, securing the keys generated (to be discussed later) and so forth.

The Process:

Choose a data driven control like gridview or treeview to display the Applications that a user has access to. Use the first two tables for this. After Bob logs in to Master, read his user ID and get the applications (departments A and B) that he has access to.

Now this is important! When Bob clicks on the application link (Department A, in this example), you'll need to generate a unique key (GUID, to keep it simple), and store this GUID along with Bob's User ID and the App ID. Read the App's URL from the tbl_App table. Open a new window (You can do this using client script which I'll post at the end) for the link that Bob has just clicked, and pass the generated key as a query string.

Department A's application:
Get the query string (the GUID) and read the corresponding User ID from the tbl_AppUserKey table. Now that you have the User ID for Bob, it's not a good idea to keep the GUID in the table. So, delete it! duh!

In this way, even if Bob closes the browser (instead of logging out), and tries to come back (by entering the URL from his browser history) you can redirect him to a error page as the query string would be null. As I said earlier, I assume you already know about maintaining roles and synchronizing the Master and Child applications.

ClientScript for Opening a new Browser Window:

//Open a window to the app and pass Token as query string - works only on postbacks
string script = "'" + url + "?token=" + key + "')";
ClientScriptManager cm = Page.ClientScript;
cm.RegisterStartupScript(this.GetType(), "window", script, true);

Any questions? shoot me an email at

WPF/E - ASP.NET (Server Control)

So much hype about the WPF from the developer-evangelists of Microsoft convinced me upto an extent to install the 3.0 framework and the neccasary installers for creating cool WPF (or should I say Microsoft's Flash) content for windows and for the web.Installers are easily available for those who are winforms enthusiasists. However, if you want to develop wpf/e based content for the web, then you better make a checklist of the installers from msdn. Plus, you'll need service pack 1 for Visual Studio 2005. Remember that the SP1 is about 400 Mb. You'll probably want to download it first before installing. Then you need the RC (the latest is Feb 07) for WPF and WPF/E SDK.

Without the SDK you'll not be able to install the WPF template.Apart from this minor information, I found an interesting link which allows you to use a custom user control (credits to Mike Harsh). Click here to Visit the link. User Controls are fun as we know. Here, all we have to do is create a XAML file using XAML Pad, Expression web, or just xml Editor. I'd rather stick with Expression Web. After you create the xaml, use the user control and link the source to the XAML file. Viola! The user Control can be found here and a sample application using the User Control Can be downloaded from here.