Microsoft Identity Manager
A family of Microsoft products that manage a user's digital identity using identity synchronization, certificate management, and user provisioning.
661 questions
Single Sign On with ASP.Net Identity
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 4%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKS%3C/text%3E%3C/svg%3E)
Kiran Shah
1
Reputation point
There is requirement in my application to implement SSO using ASP.Net Identity (not using Form Authentication). I have implemented ASP.Net Identity in my 2 MVC applications for authentication. Also implemented SSO (Single Sign On) in both application, but when I log in into main application with correct login credentials, its not sharing authentication to the second application hence when I open second application it always redirect to the first application. I have added same machine key in both application See below Startup class I have implemented in my application.
public void ConfigureAuth(IAppBuilder app)
{
// Configure the db context, user manager and signin manager to use a single instance per request
app.CreatePerOwinContext(ApplicationDbContext.Create);
app.CreatePerOwinContext<ApplicationUserManager>(ApplicationUserManager.Create);
app.CreatePerOwinContext<ApplicationSignInManager>(ApplicationSignInManager.Create);
// Enable the application to use a cookie to store information for the signed in user
// and to use a cookie to temporarily store information about a user logging in with a third party login provider
// Configure the sign in cookie
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
LoginPath = new PathString("/Account/Login"),
CookieName = "Share1.SSO",
//CookieDomain = "azurewebsites.net",//
SlidingExpiration = true,
Provider = new CookieAuthenticationProvider
{
// Enables the application to validate the security stamp when the user logs in.
// This is a security feature which is used when you change a password or add an external login to your account.
OnValidateIdentity = SecurityStampValidator.OnValidateIdentity<ApplicationUserManager, ApplicationUser>(
validateInterval: TimeSpan.FromMinutes(30),
regenerateIdentity: (manager, user) => user.GenerateUserIdentityAsync(manager))
}
});
AntiForgeryConfig.UniqueClaimTypeIdentifier = ClaimTypes.NameIdentifier;
}
Also on successful login, I also creates claims as below.
var user = await UserManager.FindByNameAsync(username);
var claims = new List<Claim>();
claims.Add(new Claim(ClaimTypes.NameIdentifier, user.Id));
claims.Add(new Claim(ClaimTypes.Name, username));
var id = new ClaimsIdentity(claims,
DefaultAuthenticationTypes.ApplicationCookie);
var ctx = Request.GetOwinContext();
var authenticationManager = ctx.Authentication;
authenticationManager.SignIn(new AuthenticationProperties()
{
AllowRefresh = true,
IsPersistent = true,
ExpiresUtc = DateTime.UtcNow.AddMinutes(30),
IssuedUtc = DateTime.UtcNow
}, id);
But the SSO is not working when I publish on Azure portal. Please guide me to fix this issue asap.
Regards,
Kiran Shah
{count} votes
-
AgaveJoe 27,696 Reputation points2021-11-26T13:16:48.603+00:00 You have not explained the SSO design or shared any code that indicates SSO. The code you have shared created an authentication cookie. I'm guessing the actual problem is sharing the authentication cookie between applications???
Share authentication cookies among ASP.NET apps
Typically SSO has a central authentication service that the other applications know and trust.
-
Kiran Shah 1 Reputation point
2021-11-29T12:40:14.143+00:00 Hi AgaveJoe,
Thanks for your quick reply, Sorry but I am not getting SSO design, I am new to SSO and what I have read and learn for SSO, there need to change code in below classes to make the SSO working
- Define the same machineKey and decryptionKey in web.config file of all applications which you would like to apply SSO.
- Write the code for cookie authentication in Startup.cs class as I have mentioned in my post.
- In the login method, define the claims (as I mentioned in my post) if the user is logged in successfully
Now when user will be logged in any one application then the authentication cookie will be created and when user will open the second application then it will check the authentication cookie and it will be authorized (based on [Authorize] keyword we define top of the controller class) if the authentication cookie is set.
The same code works fine for the Form authentication but I would like to make it working for ASP.Net Identitiy as I am using ASP.Net Identity for authentication in our application.
Kindly guide me and if possible please send me the sample code which can help to fix this issue.
Regards,
Kiran Shah -
AgaveJoe 27,696 Reputation points
2021-11-29T14:36:50.16+00:00 Did you read the link in my initial post and follow the steps??? Are you trying to share the Identity database too or only the authentication cookie?
I believe a better approach is building a central login.
-
Kiran Shah 1 Reputation point
2021-12-17T12:53:23.58+00:00 Actually sharing cookie is not allowed by some domains because of security reason. Please refer below link for such domains.
https://publicsuffix.org/list/public_suffix_list.datAnd I have published my sites on Azure portal (domain azurewebsites.net) and which is not allowed to share cookie. So in my case SSO is not possible with sharing cookie.
Can you please guide me if is there any other way to achieve single sign on in web application.
-
AgaveJoe 27,696 Reputation points
2021-12-17T16:32:04.52+00:00 As explained above - twice , SSO usually involves a central login service. OAuth is pretty common these days. Google, Facebook, Azure AD, etc have OAuth services. The official documentation on this site covers authentication/authorization and since the subject is extensive so you'll need to read through the docs on the left to figure out what best fits your scenario.
Overview of ASP.NET Core authentication
It sounds like the Interactive flow is what you need. Basically, all the web applications trust the login service.
Sign in to comment