Understanding Single Sign-On in ASP.NET 2.0

Coordinator
Sep 6, 2011 at 5:00 PM
Understanding Single Sign-On in ASP.NET 2.0
 
Published: 16 Jan 2008
Abstract
In this article, Masoud discusses the concept of Cross Application Authentication using ASP.NET authentication model consisting of Membership Providers, web.config configuration, encryption, and decryption of configuration files. At the end of the article he also examines the application of the concept using ASP.NET login controls.
by Masoud Tabatabaei
Feedback
Average Rating:   
Views (Total / Last 10 Days): 96229/ 418
<noscript></noscript>

Introduction

Normally when you are implementing authentication in ASP.NET web application, you have to create a login page for each of your applications. Imagine that you have two or more web application which are related together. So you may want to use a mechanism which allows you to create just one login page for all your related applications. In this way, once you have logged in you can browse other application without any extra login required. Single sign-on (SSO) is a method of access control that enables a user to authenticate once and gain access to the resources of multiple software systems.

Consider you have created two or more web sites in your server. As any other web site, you have just used the ASP.NET authentication mechanism to authenticate your users. So you have two or more login pages depending on your web sites. Now we are going demonstrate how to modify your setting to accomplish the goal of Cross Application login. In other words, we just want to have one login page for whole web site, and once the users have been authenticated they can browse to other web sites, without the need to re-login. In addition you can see how you can encrypt your configuration files during this article.

What's SSO and how it works?

In many companies there are some web sites or web base applications which are developed to cover the software needs in the systems. Of course, because of security issues they will have they authentication and authorization systems base on ASP.NET 2.0 built in Membership Provider and Role Provider or custom implementation of these mechanism. Anyway, by default all the web sites will have a "Login.aspx" web form which will authenticate the users throw their User and Passwords available in the database. While you have just one web site or web sites which are working independently there would be no problem, but since you may have two or more web site which are related together or having links together, you may think Why do you have to login in each application every time separately? Why cannot you have just one "Login.aspx" web page which authenticates the users and throw all the web application related together. Fortunately, in ASP .NET 2.0 you can achieve your goal of Cross Application Login by some configuration in your new or existing web sites.

In ASP .NET configuration file (web.config) there is an element inside <system.web> element named <machineKey> which Configures keys to use for encryption and decryption of Forms authentication cookie data and view-state data and for verification of out-of-process session state identification. If in each of your web sites you set the same <machineKey>, those applications can read Forms authentication cookies. So after the users have been authenticated and a cookie saved on its computer, the other applications with the same <machineKey>, can accept this cookie as a valid authentication ticket. So there would be no need to re-login in other applications with the same <machineKey> in their web.config file.

Because <machineKey> information is sensitive, you should encrypt the section information of your configuration file.

To accomplish this goal, I am going to use ConfigurationManager class and its members. There is also a class named SectionInformation which Contains meta-information on an individual section within the configuration. There is a method called ProtectSection(); this method is used to encrypt a section of your configuration file.

System Requirements

  • ·         A web server running on Windows 2000 or later
  • ·         .NET Framework 2.0
  • ·         Visual Studio 2005
  • ·         Microsoft SQL Server 2005 Express Edition
Working

Now let see what is happening in our projects. I have a web site, Aspalliance1, which has a "Login.aspx" as its login page. Users can be authenticated here in that page. In this web site there is also a web page named "Default.aspx" which has just a header and some text and also a link to Aspalliance2 web site. You will see that once the user has been logged in, it can navigate cross other web sites without re-login needed. There is also a web page "Encryption.aspx" which has two buttons to encrypt or decrypt the configuration files.

As I said before, you can have cross application login with a little bit of configuration in your web configuration file. In web.config file there is an element under configuration section which named <system.web>. We are going to set some configuration here inside <system.web> section. We just need to add <machineKey> section with its value inside <system.web> element. <machineKey> has there attribute and I am going to set them. The first one is validation which specifies the type of encryption used for validation. validationKey specifies the key used for validation of encrypted data and decryptionKey specifies the key that is used to encrypt and decrypt data or the process by which the key is generated.

Listing 1: Setting machineKey element in web.config

<machineKey       
validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF
21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141" 
decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"       
validation="SHA1"/>

The demonstrated code is not encrypted, and it will not be published on the server. Because of security it is important to encrypt the <machineKey> configuration section and publish it to the server. You can see encrypted <machineKey> element in Listing2.

Listing 2: Encryped machineKey element in web.config

<machineKey configProtectionProvider="RsaProtectedConfigurationProvider">
      <EncryptedData Type="http://www.w3.org/2001/04/xmlenc#Element"
        xmlns="http://www.w3.org/2001/04/xmlenc#">
        <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#tripledes-cbc" />
        <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
          <EncryptedKey xmlns="http://www.w3.org/2001/04/xmlenc#">
            <EncryptionMethod Algorithm="http://www.w3.org/2001/04/xmlenc#rsa-1_5" />
            <KeyInfo xmlns="http://www.w3.org/2000/09/xmldsig#">
              <KeyName>Rsa Key</KeyName>
            </KeyInfo>
            <CipherData>
              <CipherValue>
lm3mfPX/94Zm3HgdbsmKiIxbrWM14t3/ugxs40BFOAHbIaCtwQ3gVQusFtOFVUoNVny01kgBCeh10rVEId
djNZ/8luBNoCbHm8OLjgPLHVrT+G0c/LRpESJk2ni/Jy2sWKXlgejgSQ1W5NE53GZtG3s9hu+nk4OWxntS
6z3v7AM=
              </CipherValue>
            </CipherData>
          </EncryptedKey>
        </KeyInfo>
        <CipherData>
          <CipherValue>
BCEGUV/dh1Imbcm5vn0Kn8NrD+EX+KemenR7x+VekwT1ZO6y5+jRyF4RDWMJCfJ1jHC36+MAfCdHuXN0rP
B6hu5YUtX9VA5q5N0NGrs9AIpG+0ihuuS3HDzQe3P6nlI30m1h0pmL1yJBovY0i6fbCA6++GT2MdwCLERk
+PVWmoq7p1q97n5pNzNqhVKCX45lhS5ySVS+MjJXVeTrcatftpvaUcjLsNcL2kMerzf5w/SU3AbLEuY04w
dgYWX5tWzxqeUcghdlWLD0tQi8qyyfVfzXPYozR5sspWHdgqmAycrACHN2dcONWPjT4BanRWb1ouKuP8K+
0CEFE/Hj2ChpYw==
          </CipherValue>
        </CipherData>
      </EncryptedData>
</machineKey>

You can encrypt your configuration files using Configuration and SectionInformation classes. Let us write some code in order to encrypt or decrypt your <machineKey> section. SectionInformation class has a method ProtectSection() which gets an string representing the Protection Provider like "RSAProctedConfigurationProvider" and encrypt the section. There is also a Boolean property ForceSave which has to be true when wanted to save the configuration file with save method of configuration class. Here is the code of "Encryption.aspx" web page which has two buttons to encrypt and decrypt the configuration file.

Listing 3: Encryption code on web configuration file

protected void btnEncrypt_Click(object sender, EventArgs e)
{
  try
  {
    Configuration config = WebConfigurationManager.OpenWebConfiguration(
      "/Aspalliance1 ");
    ConfigurationSection machineKeySection = config.GetSection(
      "system.web/machineKey");
    machineKeySection.SectionInformation.ProtectSection(
      "RSAProtectedConfigurationProvider");
    machineKeySection.SectionInformation.ForceSave = true;
    config.Save();
 
    Response.Write("<h2 style='color:red'>Encryption Succeed</h2>");
  }
  catch (Exception ex)
  {
    Response.Write("<h2 style='color:red'>Error while encrypting</h2><br/>");
    Response.Write(ex.Message);
  }
}

Listing 4: Decryption of web configuration file

protected void btnDecrypt_Click(object sender, EventArgs e)
{
  try
  {
    Configuration config = WebConfigurationManager.OpenWebConfiguration(
      "/Aspalliance1 ");
    ConfigurationSection machineKeySection = config.GetSection(
      "system.web/machineKey");
    machineKeySection.SectionInformation.UnprotectSection();
    machineKeySection.SectionInformation.ForceSave = true;
 
    config.Save();
    Response.Write("<h2 style='color:red'>Decryption Succeed</h2>");
  }
  catch (Exception ex)
  {
    Response.Write("<h2 style='color:red'>Error while decrypting</h2><br/>");
    Response.Write(ex.Message);
  }
}

Now you have to set some configuration in this web site. First you have to change loginUrl of your <forms> section, which will be used to redirect an anonymous user to "Login.aspx" web page. But this time it will redirect users to "Login.aspx" page in Aspalliance1 web site.

Listing 5: Setting authentication element in web.config

<authentication mode="Forms">
<forms loginUrl="http://localhost/Aspalliance1/login.aspx" name=".ASPXAUTH"/>
</authentication>

The most important part of our article is that if you wan to implement cross application login in your web sites, you must have two or more web sites with the same <machineKey> configurations. So I just copy and paste the <machineKey> section of Aspalliance1 web site to Aspalliance2 web site. Now it is ready and you can just test you web sites.

Listing 6: Setting machineKey element in web.config

<machineKey       
validationKey="282487E295028E59B8F411ACB689CCD6F39DDD21E6055A3EE480424315994760ADF
21B580D8587DB675FA02F79167413044E25309CCCDB647174D5B3D0DD9141" 
decryptionKey="8B6697227CBCA902B1A0925D40FAA00B353F2DF4359D2099"       
validation="SHA1"/>
Downloads

[Download Sample]

For testing the web site try to login with Admin username and 123456& password.

The sample download for this article contains a VS 2005 solution containing two web sites: aspalliance1 and aspalliance2.

To install the sample, you should first create two IIS virtual directory called aspalliance1 and aspalliance2, which points to the folder to which you have installed these two projects. You can also open web sites with File System in Visual Studio 2005.

Conclusion

It is really nagging if you have two or more web sites on a server and the users have to login whenever they want to cross between them. So it would be very good to allow user's to just login once. To accomplish this you just need to add <machineKey> section to your "web.config" file in all your web sites with the same values. And because of security, I recommend you encrypt this section. The encryption is covered with ProtectSection() method of SectionInformation class with a RSAProtecConfigurationProvider value.