Single Sign On Implementation

Hi,

I am looking in to implementing a single sign on for a number of in house applications.

I am thinking of making it a web service that initially queries the active directory to see if the staff member logging in actually is allowed on the network. As far as i can make out, this should be relatively easy.

I can then have a login control that can be added to each application that accesses the web service to authenticate each user.

A database will be implemented and will be checked after the Active Directory LDAP query to see which applications the user has access to and the rights they have in that application.

How best would i be able to check that the application being signed into is in the list of accessible applications for the given user?

Does this sound like the best way to do such a thing?

Any help or links on this matter would be much appreciated.

Thanks in advance

GrantDepends.

My question for now is, why aren't these in-house applications performing the check for whether the user has permissions to access it? Why must this depend upon an external application?
They do check if the user can access the app. I was wanting to make a single signon app so that it is centralised for all in house apps. Is it better practice to let each individual program check a database to see who has access?
In my experience with in-house apps, yes. Because each app already authenticates users when they login with Windows authentication and may have their own logic for allowing a user access.

Since you say that the applications are already doing this, doing it externally is redundant.

Now, by single sign-on, do you mean a single page, with links to each app, where you'd like to pass credentials to the individual apps and let them perform authentication?
What i had in mind was a web service that dealt with all of the authentication through LDAP, ensuring the users are in the Active Directory. I also envisaged a web control which had the username, password, domain boxes etc which would comunicate with the Webservice. This web control could be dragged on to the login page of any application hence authenticating them with the network.

I had wondered about replacing the seperate system authentications with a page allowing users to select an app (which they have access to) to connect to. This as you have just mentioned may well be better left with the individual applications.

Does that make more sense or am i way of the mark with the single sign on idea?

Thanks for the input.
1. When you use Windows Authentication on an app, they are automatically authenticated with the network.

Now you have two options. On the page that links to all the in-house apps,

a) You can simply create a link to each of those apps
b) You can have Windows Authentication enabled on YOUR page, and, when sending the user to the other apps, you pass their windows authentication information so that they needn't login again there. This way, the credentials are passed to those apps, yes, and THOSE apps check security levels, etc., etc.

What do you think now?
What do you think now?

I think its getting late on a Monday afternoon and my head hurts :)

On a serious note, the second option mentioned seems to be preferable. If i pass the details through to the apps and let them deal with their own security. Using this method i'm still not able to hide the apps that certain users haven't got rights too.

I'll have to give this thought as to how to implement the system but your help has put things into perspective.

The only query i would have now, and i never mentioned this previously. If at any point a serious change to data is made in one of these systems, a user is required to digitally sign the chnage off. This involves them authenticating themselves again.
Initially i had thought with the web control suggestion i could just drag it on to the sign-off page. This isn't a major problem at present but one i'll have to look at eventually.

You've been a great help on this. Thanks, and no doubt i'll post again on this matter

Grant
For implementation, you want to look at how to pass credentials between ASP.NET applications.
Ok,

I'm now extremely confused. How can i go about having a logon page which checks the active directory to ensure the user is there and then checks for that user in the application database to get the user role. I have something at present that is based on windows authentication. From what i can see however the user details are authenticated already without the user needing to login to the system. I'm sure i'm just getting confused but i'm not having any joy.

I have declared a class which defines my custom principal, and using this combinded with the events Application_AuthenticateRequest, and WindowsAuthentication_OnAuthenticate in the Global file I have tried to implement the authentication process.

protected void Application_AuthenticateRequest(Object sender, EventArgs e)
{

FormsAuthenticationTicket formsAuthTicket;
HttpCookie httpCook;
GenericIdentity objGenericIdentity;
myAppPrincipal objMyAppPrincipal;
string[] strRoles;

httpCook = Context.Request.Cookies.Get("authCookie");
formsAuthTicket = FormsAuthentication.Decrypt(httpCook.Value);
objGenericIdentity = new GenericIdentity(formsAuthTicket.Name);
strRoles = formsAuthTicket.UserData.Split('|');
objMyAppPrincipal = new myAppPrincipal(objGenericIdentity, strRoles);

HttpContext.Current.User = objMyAppPrincipal;

}

protected void WindowsAuthentication_OnAuthenticate(Object source, WindowsAuthenticationEventArgs e)
{

//Check if cookie exists. Return if it does.
if(Request.Cookies.Get("authCookie")!= null)
return;

string strUserIdentity;
string strUserRoles;
FormsAuthenticationTicket formsAuthTicket;
HttpCookie httpCook;
string strEncryptedTicket;

strUserIdentity = e.Identity.Name;
string tempStr = e.Identity.IsAuthenticated.ToString();

Usr curUsr = new Usr(strUserIdentity);
strUserRoles = curUsr.getRoles();//GetUserRoles(strUserIdentity); // Will have to obtain roles from database
formsAuthTicket = new FormsAuthenticationTicket(1, strUserIdentity, DateTime.Now, DateTime.Now.AddMinutes(20), false, strUserRoles);
strEncryptedTicket = FormsAuthentication.Encrypt(formsAuthTicket);
httpCook = new HttpCookie("authCookie", strEncryptedTicket);
Response.Cookies.Add(httpCook);

}

If anyone can help further, their help is also appreciated.

Thanks
First.

You have set Windows Authentication on your application. This means your code is to assume that the user has been authenticated against Active Directory. Do not waste your efforts on authenticating him again.

Second.

Get the user's identity by using

System.Web.HttpContext.Current.User.Identity.Name

You can then use this value for whatever it is you're doing or have decided to do, which I'm unaware of at this point... but I think you'd take this value and compare it against the users table of whatever applications' databases.
So, using the windows authentication, i do not need the logon page at all because the user is logged on to the PC with a windows account hence is authenticated? correct me if i'm wrong as i more than likely am in this case.

I then just use the current user identity for (and you are correct in guessing) comparing to the users table in the database.

Thanks, your patience is appreciated
Yes.

In fact, you can try this out right now.

Create a very simple ASP.NET Application. Compile it, blah blah blah.

In IIS, in the Virtual Directory's properties, under Directory Security, enable Windows Authentication.

Now attempt to access this application from another computer in your network. You will get a login prompt for that page.

That is where the authentication is taking place.
Ok, is becoming a bit clearer. If i'm not pusihing my luck by asking, Does it matter if i test this with Anonymous access checked or unchecked?

I have tried the simple app and it doesn't prompt for a logon from another PC, is this because the other PC is logged into the domain by another user?

Thanks
Yes, because then it will login with the anonymous account credentials, IUSR_SOMETHING.