Single Sign On - 2.0 Web Service Membership Provider

NEW POST: DNN Module

fawad85a — Fri, 09 May 2008 10:55:27 GMT

Hye there,
i m seriously having problem in setting up the webservice. first i m telling you my scenario and the can you please guide me that where i m needed to make changes.

I have a dnn website and a web app. Both are following form authentication. i have shared the cookie and authentication is working now. Client require profiling and user account setting from the web app as the database is with DNN website.
my question is why do we require a webservice in between to share data, i mean can't we provide connection string of the database in web app and can't we do this task in that way.
Any ways i tried your project i change the connection string of the webservice to the DNN database and i changed the class library connection string too and then i checked test site, nothing happened. i couldn't sign in that test site with DNN user name.
i didn't update the reference of test site imagining that referenced is direct from the project.

Can you guide me through the steps.

i m doing the same thing i m having the same problem
Have you sorted out the problem?

NEW POST: SingleSignon and Many Apps

fawad85a — Thu, 08 May 2008 16:06:15 GMT

Hye nathan,
i m seriously having problem in setting up the webservice. first i m telling you my scenario and the can you please guide me that where i m needed to make changes.

I have a dnn website and a web app. Both are following form authentication. i have shared the cookie and authentication is working now. Client require profiling and user account setting from the web app as the database is with DNN website.
my question is why do we require a webservice in between to share data, i mean can't we provide connection string of the database in web app and can't we do this task in that way.
Any ways i tried your project i change the connection string of the webservice to the DNN database and i changed the class library connection string too and then i checked test site, nothing happened. i couldn't sign in that test site with DNN user name.
i didn't update the reference of test site imagining that referenced is direct from the project.

Can you guide me through the steps.

UPDATED WIKI: Home

nlb6665 — Tue, 29 Apr 2008 23:29:20 GMT

UPDATED WIKI: Home

nlb6665 — Tue, 29 Apr 2008 23:29:00 GMT

UPDATED WIKI: Home

nlb6665 — Tue, 29 Apr 2008 23:28:36 GMT

UPDATED WIKI: Home

nlb6665 — Tue, 29 Apr 2008 22:49:16 GMT

UPDATED WIKI: Home

nlb6665 — Tue, 29 Apr 2008 22:48:55 GMT

Project Description
In short, this is simply a pass-through web service membership provider and role provider library. I've taken advantage of the 2.0 membership provider model to allow pre-existing applications to easily integrate this library. The idea is to have one centrally hosted asp.net web application containing all the user accounts that will be shared among many other applications and provide a web service for those applications to use its authentication functions. The download includes: a sample host server, provider client libraries, sample web client, and sample windows client.

Donations
I have gotten a few requests about donations to the project. Feel free to click this link an contribute any amount you wish. We greatly appreciate your support.
{"<form action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="image" src="https://www.paypal.com/enUS/i/btn/btndonate_SM.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypal.com/en_US/i/scr/pixel.gif" width="1" height="1">
<input type="hidden" name="encrypted" value="-----BEGIN PKCS7-----MIIHVwYJKoZIhvcNAQcEoIIHSDCCB0QCAQExggEwMIIBLAIBADCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwDQYJKoZIhvcNAQEBBQAEgYA0yXSdeJMuFRBN844nzcq1FtHpwsv9eheU5pF8883n0J8MiI/PsMvMX5rmQlH4IdkCYejvMEyz898pH9q4NXVblhbH/aBExD5Vmtgn1EC0ByQtlTdw0hTd8OvFwNuTTC82tVNRBAiHy1kRwSfyHM4dPAZQdR4PfU659wERrbzELMAkGBSsOAwIaBQAwgdQGCSqGSIb3DQEHATAUBggqhkiG9w0DBwQIaSob23g3sRGAgbBFN3DLSauz4cqrdJRtAgxZC6cyOTZ/2smYCsY0UbXDayKQ1ZrDx3dVxILeAPngsRt5zCz53oNfoCVsywvs4PovHV3Wig7tA7i9qODHzfqtvTcv2YyLqrEN6JyRnuuCcsX27DIv/K9SWGB4JO/cPzFZOexhmjpPiIqMHGHmhdbkAooXCE78sPk89I42BvqhCaOYEPokTcbJTSNNfbEEAJ6JppeJAihS5l9HMa1DwzSaCCA4cwggODMIIC7KADAgECAgEAMA0GCSqGSIb3DQEBBQUAMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTAeFw0wNDAyMTMxMDEzMTVaFw0zNTAyMTMxMDEzMTVaMIGOMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQ0ExFjAUBgNVBAcTDU1vdW50YWluIFZpZXcxFDASBgNVBAoTC1BheVBhbCBJbmMuMRMwEQYDVQQLFApsaXZlX2NlcnRzMREwDwYDVQQDFAhsaXZlX2FwaTEcMBoGCSqGSIb3DQEJARYNcmVAcGF5cGFsLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAwUdO3fxEzEtcnI7ZKZL412XvZPugoni7i7D7prCe0AtaHTc97CYgm7NsAtJyxNLixmhLV8pyIEaiHXWAh8fPKWR017EmXrr9EaquPmsVvTywAAE1PMNOKqo2kl4Gxiz9zZqIajOm1fZGWcGS0f5JQ2kBqNbvbg2/ZaGJ/qwUCAwEAAaOB7jCB6zAdBgNVHQ4EFgQUlp98u8ZvF71ZP1LXChvsENZklGswgbsGA1UdIwSBszCBsIAUlp98u8ZvF71ZP1LXChvsENZklGuhgZSkgZEwgY4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNTW91bnRhaW4gVmlldzEUMBIGA1UEChMLUGF5UGFsIEluYy4xEzARBgNVBAsUCmxpdmVfY2VydHMxETAPBgNVBAMUCGxpdmVfYXBpMRwwGgYJKoZIhvcNAQkBFg1yZUBwYXlwYWwuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAgV86VpqAWuXvX6Oro4qJ1tYVIT5DgWpE692Ag422H7yRIr/9j/iKG4Thia/Oflx4TdLIFJBAyPK9v6zZNZtBgPBynXb048hsP16l2vi0k5Q2JKiPDsEfBhGIHnxLXEaUWAcVfCsQFvd2A1sxRr67ip5y2wwBelUecP3AjJYcxggGaMIIBlgIBATCBlDCBjjELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRYwFAYDVQQHEw1Nb3VudGFpbiBWaWV3MRQwEgYDVQQKEwtQYXlQYWwgSW5jLjETMBEGA1UECxQKbGl2ZV9jZXJ0czERMA8GA1UEAxQIbGl2ZV9hcGkxHDAaBgkqhkiG9w0BCQEWDXJlQHBheXBhbC5jb20CAQAwCQYFKw4DAhoFAKBdMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA4MDQyOTIyNDYwN1owIwYJKoZIhvcNAQkEMRYEFDIJrm1wZXmabk1v2tyPIFC56dCMA0GCSqGSIb3DQEBAQUABIGAbehytPwxXbsgov0aGbGoBQ1EEgImIbHe/LHvpxBrPqn0Hkt4EwPKHhIbxcV2VrUU22B4ISxQCbv8e5ElVFkQoHvVh162c4VZ9bdJUdAKd24efVVcAO4wwWDxhcLnseR8ILNEsyxGZWsxlMDJBBQ2jb+SLUExLzCtlQeWdyDSA=-----END PKCS7-----
">
</form>"}

Notes
Originally I built this application to be the central authentication system of about ten or so in-house applications. All these ran on a local intranet, and I was tired of handing out ten usernames and passwords for each person to login to each application, so I designed a system similar to this one (using .NET 1.0 and web services). The solution worked great for our local and remote users.

So now I've designed a new set of applications taking advantage of the built-in membership provider model and web services in .NET 2.0. The idea is to link all your internal .net driven applications to authenticate with one system and allow remote users use the same user base. It's geared for web applications, but can be used for windows desktop applications with access to the host web services.

Thanks to the guys working on SubSonic! I used SubSonic for my data access layer in these projects.

Beta Testers and feedback are welcome. I'd like to hear what people have to say. Is this something you can use? If someone already has something like this, how does it compare? etc.

Here's a diagram showing the basic application architecture of this solution.

Source code checked in

nlb6665 — Tue, 29 Apr 2008 22:14:55 GMT

tagged 2.0

Source code checked in

nlb6665 — Tue, 29 Apr 2008 22:14:07 GMT

Source code checked in

nlb6665 — Tue, 29 Apr 2008 22:13:49 GMT

test

NEW POST: Feedback Thread - 2.0 Beta

Coolrah — Thu, 17 Apr 2008 08:31:19 GMT

Hi there,
I just downloaded the source code for this prj, our org is planning for something like this but at much greater extent, a kind of enterprise portal, where first requirement is SSO, second is to integrate all legacy systems viz almost 4 are currently running, and there are also plans for some new prj, now i want to know the key concept of your SSO, i know a solution posted sometime ago, where you can enable the enableCrossAppRedirects plus having same machine key (the one you posted from Scott blog) same concept, from that we can achieve the SSO, but i like the concept of Web Services doing all the creepy work of Authentication, our plan for enterprise portal needs, it should have authentication as well as authorization module, i know we have to do some changes in all the systems but i want it to be least changes in the legacy systems, also i need some suggestion if you can pass it on, that how should this scenario be handled.
I have studied the Membership database stuff, but for authorization, we have other stuff like application to roles are then joined to privileges and then other logics are there.
Please provide some comments, looking forward for your reply.
Please also try to provide little documentation on your SSO as well.
Regards
Rahman

NEW POST: Feedback Thread - 2.0 Beta

nlb6665 — Tue, 08 Apr 2008 18:06:02 GMT

If anyone has questions or comments, I'd love to hear them. We've had quite a few downloads since I pushed out 2.0 beta. I'd like to know if anyone is having issues with the code or getting the samples to work. Is this code useful, etc?

Thanks!
Nathan

CLOSED ISSUE: Better Session Maintenance

nlb6665 — Mon, 31 Mar 2008 17:36:26 GMT

Currently the server-side doesn't clean up after itself and old sessions remain. I'll probably build a better security factor in to expire old sessions and/or delete them.
Comments: 2.0 beta

CLOSED ISSUE: Web Service Security

nlb6665 — Mon, 31 Mar 2008 17:36:03 GMT

---------edited Aug 14, 2007--------
I've decided to implement another form of security using a shared key. It's a custom solution and only recommended for Medium Trust shared hosting solutions. For Full Trust solutions WSE 3.0 or WCF should be used instead.

There will be a server side admin tool for the keys. A separate key should be generated for each client machine. The key will be saved as a key file in the client application folder (or location of your choice), then it will be read and passed to each web service call for validation. (just like the current solution). The only difference is the key isn't dynamically generated and authenticated with a username/password.

This prevents the keys from never expiring like they did before and, you can expire keys on the server side in case one becomes compromised.

-----Edited Sept 8, 2007-----
I'm working on posting these changes now. Feel free to comment on the discussion thread. The old release will still be available with the session based web service security.

Thoughts?
Discussion thread: http://www.codeplex.com/SingleSignOn/Thread/View.aspx?ThreadId=13798

UPDATED RELEASE: SingleSignOn 2.0 Beta (Mar 28, 2008)

Mon, 31 Mar 2008 17:35:11 GMT

***Please report any bugs and feature requests in the issue tracker***
[url:/SingleSignOn/WorkItem/List.aspx]

This is not a huge departure from what I had before, but it is significant enough that I decided to change the major version. This release will include a host of changes, bug fixes, and improvements. Please bare with me while I clean it up for a release. You can get the current code from the Source Code tab under the /trunk. I'll leave the old 1.1.0 release out here and you can see its source code under /tags/1.1.0 in the Source Code tab.

Changes include: {**Incomplete**}
*Server-side and client-side library separation - no more reference.cs file getting messed up when updating the web references
*Initialization handled using the built in initialization method. Now settings appear as attributes on the provider configuration vs a custom settings config section.
*numerous bug fixes that I've found by using this library.
*Synchronized my private library with the codeplex one. You get what I'm using.
*Built an optional Dynamic or Static service key. So now you can have a windows app that generates a key session and a web app that uses a static file.

Definitions:
*Client-side* is the web site or windows forms application that consumes these web services to access membership from a central server.
*Server-side* is the actual web site that hosts the web services providing the membership information.

Some caveats should be mentioned. This library is literally a passthrough to a server side membership provider. So any application using this shares its application name with the host application. Also, defining encryption, etc won't work because it relies on the server-side configuration for the SqlMembershipProvider. Since flat text is transmitted between the client applications and the server, you should use transport encryption (SSL/HTTPS) to protected your information. Also... all provider names server and client-side have to be the same name if you want to use the ASP.NET configuration tool on the client-side; I'll look into that so I can understand what's going on.

More documentation coming soon!

Source code includes Visual Studio 2005 and 2008 solutions

Stay tuned!

UPDATED RELEASE: SingleSignOn 2.0 Beta (Mar 28, 2008)

Mon, 31 Mar 2008 17:34:51 GMT

***Please report any bugs and feature requests with the code or documentation in the issue tracker***
[url:/SingleSignOn/WorkItem/List.aspx]

This is not a huge departure from what I had before, but it is significant enough that I decided to change the major version. This release will include a host of changes, bug fixes, and improvements. Please bare with me while I clean it up for a release. You can get the current code from the Source Code tab under the /trunk. I'll leave the old 1.1.0 release out here and you can see its source code under /tags/1.1.0 in the Source Code tab.

Changes include: {**Incomplete**}
*Server-side and client-side library separation - no more reference.cs file getting messed up when updating the web references
*Initialization handled using the built in initialization method. Now settings appear as attributes on the provider configuration vs a custom settings config section.
*numerous bug fixes that I've found by using this library.
*Synchronized my private library with the codeplex one. You get what I'm using.
*Built an optional Dynamic or Static service key. So now you can have a windows app that generates a key session and a web app that uses a static file.

Definitions:
*Client-side* is the web site or windows forms application that consumes these web services to access membership from a central server.
*Server-side* is the actual web site that hosts the web services providing the membership information.

Some caveats should be mentioned. This library is literally a passthrough to a server side membership provider. So any application using this shares its application name with the host application. Also, defining encryption, etc won't work because it relies on the server-side configuration for the SqlMembershipProvider. Since flat text is transmitted between the client applications and the server, you should use transport encryption (SSL/HTTPS) to protected your information. Also... all provider names server and client-side have to be the same name if you want to use the ASP.NET configuration tool on the client-side; I'll look into that so I can understand what's going on.

More documentation coming soon!

Source code includes Visual Studio 2005 and 2008 solutions

Stay tuned!

CLOSED FEATURE: Dynamic Mode Security - Add user authorization to function calls

nlb6665 — Mon, 31 Mar 2008 17:33:53 GMT

Basically once a service key is validated the client application has free reign against the membership functions. This is fine for a web application in most cases because it's running on a trusted host. However, in a windows forms situation, your key is being sent directly to a user so their application can talk to your membership service. I think there should be an optional way to lock down the membership functions for untrusted applications. I've been thinking about a way to maybe lock it down by authorized groups. That way say minimal users would only be able to login and obtain their groups, maybe reset a password. More privileged users could do more.

thoughts?
Comments: in 2.0 beta

REOPENED FEATURE: Dynamic Mode Security - Add user authorization to function calls

nlb6665 — Mon, 31 Mar 2008 17:33:36 GMT

CLOSED FEATURE: Dynamic Mode Security - Add user authorization to function calls

nlb6665 — Mon, 31 Mar 2008 17:33:06 GMT

Source code checked in

nlb6665 — Sat, 29 Mar 2008 07:09:18 GMT