How to: Use the ASP.NET Authentication Service to Log In Through Silverlight Applications

Microsoft Silverlight will reach end of support after October 2021. Learn more.

This topic describes how to authenticate the end users of your Silverlight-based ASP.NET Web site when you want to create a rich user log-in experience by using the full graphical power of Silverlight, instead of relying on an HTML-based mechanism, such as the ASP.NET Login Control. You can do this by using the ASP.NET Authentication service. For information about using this service, see ASP.NET Authentication Service Overview.

To use the ASP.NET Authentication service, you must have an ASP.NET site with Forms Authentication being accessed through a Silverlight application that is hosted on a Secure Sockets Layer-enabled (HTTPS) server. There are two requirements:

  • Secure Sockets Layer (SSL) is required because users must be able to verify the identity of your Silverlight application before trusting it with their passwords. Therefore, it is important to host XAP packages of Silverlight applications that accept passwords from SSL-enabled sites (https:// addresses), just like regular Web pages that accept passwords.

  • The Authentication service itself must be hosted with SSL to protect the user’s credentials when they travel over the wire.

To enable ASP.NET authentication on the service

  1. In Solution Explorer, right-click the service project and select Add, then New Item, and select the Silverlight-enabled WCF Service template from the Silverlight category. Call it Authentication.svc in the Name box and click Add.

  2. Delete the Authentication.svc.cs file. ASP.NET provides a built-in implementation for this service, so no code is required for this service.

  3. Replace the contents of Authentication.svc with the following code.

    <%@ ServiceHost Language="C#"
    Service="System.Web.ApplicationServices.AuthenticationService" %>

    This directive accesses the AuthenticationService class, which contains the built-in Authentication service implementation provided by ASP.NET.

  4. Ensure that the Authentication service is turned on by setting the enabled attribute of the <authenticationService> element in the configuration to true.

          <authenticationService enabled="true"
           requireSSL = "true"/>

    Note that for debugging purposes, the requireSSL attribute can be set to false, but you must switch it back to true before going to production.

  5. In the Web.config file, set both the name attribute of the <service> element and the contract attribute of the service <endpoint> element to System.Web.ApplicationServices.AuthenticationService.

    <service name="System.Web.ApplicationServices.AuthenticationService">
       <endpoint address="" 
                 contract="System.Web.ApplicationServices.AuthenticationService" />
       <endpoint address="mex" 
                 contract="IMetadataExchange" />
  6. Change the <httpTransport /> element to the <httpsTransport /> element in the <customBinding> section.

       <binding name=" WebApplication2.Authentication.customBinding0">
          <binaryMessageEncoding />
          <httpsTransport />
  7. Now you are ready to host the service. Because the service is hosted over HTTPS, you will not be able to host it in Visual Studio. You will need to deploy the Web application to IIS. Do this on the Web tab of the Web application properties.

    Dd560704.Important(en-us,VS.95).gif Note:
    IIS must also be configured to support an HTTP-based binding.

To log in to the service with the Silverlight application

  1. Use Add Service Reference or Slsvcutil.exe in your Silverlight application to add a reference to Authentication.svc. See How to: Access a Service from Silverlight for instructions on how to use the Add Service Reference Tool.

  2. Add any other services you need for your application (for example, MyService.svc) as described in How to: Host a Secure Service in ASP.NET for Silverlight Applications.

  3. In your Silverlight application, use code similar to the following code to log in.

    var proxy = new AuthenticationServiceClient();
    proxy.LoginCompleted += new EventHandler<LoginCompletedEventArgs>(proxy_LoginCompleted);
    proxy.LoginAsync(userNameTextBox.Text, passwordTextBox.Text, null, false);
    // Event handler:
          void proxy_LoginCompleted(object sender, LoginCompletedEventArgs e)
       if (e.Error == null)
                 // Log in successful, you now have an authentication cookie
                 // and can call other services.
  4. After the login is successful, you can call the other secure services you have added (for example, MyService.svc). No additional authentication code is required to access these services.

  5. You may be using the ClientHttp networking stack to propagate SOAP Faults to the client or for other reasons. For more information about reasons for using the networking stack based on the client operating system instead of the default browser networking stack, see How to: Make Requests to HTTP-Based Services. For more information about how to opt into the client networking stack, see How to: Specify Browser or Client HTTP Handling.

    If you are using the client networking stack, cookies will not automatically be carried over between the Authentication service proxy and your service proxy. Some extra steps are needed to ensure that the authentication cookie returned by the Authentication service is used by your service proxy. Normally, if using the default BrowserHttp networking stack, the Web browser performs this automatically.

    To enable WCF to give you access to the underlying cookie store that each proxy uses, add the <httpCookieContainer> binding element to the <binding> of <customBinding> (Silverlight) section above the <httpsTransport> element.

  6. To provide a global cookie container that all proxies share, instantiate a CookieContainer object called “container” at the top level of your Silverlight application.

  7. Before you use the proxy to the Authentication service, attach the cookie container to it by setting the CookieContainer property to container.

    proxy.CookeContainer = container;

    The cookie returned by the Authentication service will now be stored in container. Do this for each of the other proxies to which authentication cookies will be attached.

Cross-Domain Considerations

Because browser-based authentication techniques are used, follow these guidelines:

  • You must not publish a full-access cross-domain policy file (<domain uri=”*”/>) for the domain where the secure services are hosted. Doing so would introduce serious security vulnerabilities.

  • If you cannot host your XAP file on the same domain as the services, you can publish a limited cross-domain policy file (<domain uri=”” />).

  • You must publish the secure services on the same domain as the Authentication service.

  • For more information about cross-domain access, see Making a Service Available Across Domain Boundaries.

Using Other ASP.NET Application Services

You can use other ASP.NET application services in a fashion similar to how the Authentication service has been used. Two examples are:

  • The ASP.NET Roles service can be used to discover the current user’s role and customize the Silverlight UI accordingly (for example, by graying out commands that the user is not authorized to perform).

  • The ASP.NET Profile service can be used to retrieve and store the current user’s profile settings.

For more information about these services, see ASP.NET Application Services Overview.

Send comments about this topic to Microsoft.

Copyright © 2010 by Microsoft Corporation. All rights reserved.