ASP.NET 2.0: Implementing Single Sign On (SSO) with Membership API

The membership API is awesome. No doubt about that. But I wish it had a more obvious in-built support for SSO. The only authenticate method takes in a username and password, there is no support for a token based system. Also, if you did add another method to verify against a ticketing authority - the membership API simply ignores it.

So the question is, How to do SSO using the Membership API - custom provider or otherwise.
Now ASP.NET has 3 kinds of authentication -

Passport - nobody uses it anymore, and that is SSO by definition anyway.
Windows - SSO is like a moot point here.
Forms - This is where the problem begins. So thats all I'm gonna discuss here.

Well, single sign on is almost always implemented using a central ticketing authority. The idea being similar to the concept of visiting a bar. You get a "token" stamped on the back of your hand as you walk into the bar, and then everywhere in the bar, you are recognized as "over 21".

Similarly, in a ticketing based SSO implementation, a central ticketing authority issues you a "ticket" at logon. Then you can integrate with any other system by passing the "ticket", rather than your authentication credentials. Then as long as the protected system can verify the "ticket" as being valid, you're in. Else, you're out.

Anyway, so the first thing you need to do is setup a ticket verification webservice. The idea being, anytime you successfully authenticate, you will be issued a ticket, which will ideally be a GUID, stored as cookie that expires when the user hits the CROSS button on his browser. Then you can circumvent the membership API's "Authenticate" method, by instead verifying the ticket - IF one is present.

So lets assume that the ticket is being passed as a querystring called "ssoToken". Obviously, if someone else sniffed your ticketID, then he could masquerade as you - so this approach requires some kind of encryption.

So in the Page_Load for your login.aspx page, write the following code -

protected void Page_Load(object sender, EventArgs e)

{

string unescapedtokenID = Uri.UnescapeDataString(Request.QueryString["ReturnURL"]);

string tokenID = ParseURL(unescapedtokenID);

if (IsTokenValid(tokenID))

{

FormsAuthentication.SetAuthCookie(GetUserName(tokenID), false);

Response.Redirect(unescapedtokenID);

}

}

Basically "tokenID" is the token that was passed in as QueryString (or any other means), and IsTokenValid queries the ticketing web service to check the validity of the ticket. The ParseURL method is simply some magic to seperate out querystring peices out of the URL contained in the "ReturnURL" query string. If you're interested, the code for that looks like as below -

private string ParseURL(string unescapedTokenID)

{

UriBuilder bldr = new UriBuilder("http://dummyurl" + unescapedTokenID);

QueryStringParser coll = new QueryStringParser(bldr.Query);

return coll["ssoToken"];

}

The QueryStringParser class looks like this -

internal class QueryStringParser : System.Collections.Specialized.NameValueCollection

{

internal QueryStringParser(string s)

{

if (s.Length != 0) s = s.Substring(1);

int num1 = (s != null) ? s.Length : 0;

for (int num2 = 0; num2 < num1; num2++)

{

int num3 = num2;

int num4 = -1;

while (num2 < num1)

{

char ch1 = s[num2];

if (ch1 == '=')

{

if (num4 < 0)

{

num4 = num2;

}

}

else if (ch1 == '&')

{

break;

}

num2++;

}

string text1 = null;

string text2 = null;

if (num4 >= 0)

{

text1 = s.Substring(num3, num4 - num3);

text2 = s.Substring(num4 + 1, (num2 - num4) - 1);

}

else

{

text2 = s.Substring(num3, num2 - num3);

}

base.Add(HttpUtility.UrlDecode(text1, Encoding.ASCII), HttpUtility.UrlDecode(text2, Encoding.ASCII));

if ((num2 == (num1 - 1)) && (s[num2] == '&'))

{

base.Add(null, string.Empty);

}

}

}

}

Thats it !! Put all these together, and you have at your hands SSO using Membership API.