简单的单点登录令牌颁发转发制作，利用POST与置换Form完成

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.HtmlControls;
using SingleSignOn.Server.Auth;

namespace SingleSignOn.Server
{
public partial class LoginPage : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
if (!IsPostBack)
{
string reply = Request.QueryString["reply"];
string identifier = Request.QueryString["id"];
HtmlInputHidden replyInput = new HtmlInputHidden();
replyInput.ID = "reply";
replyInput.Name = "reply";
replyInput.Value = reply;
HtmlInputHidden identifierInput = new HtmlInputHidden();
identifierInput.ID = "identifier";
identifierInput.Name = "identifier";
identifierInput.Value = identifier;
HtmlInputHidden opereteInput = new HtmlInputHidden();
opereteInput.ID= "operate";
opereteInput.Name="operate";
opereteInput.Value = "1";
this.Form.Controls.Add(opereteInput);
this.Form.Controls.Add(replyInput);
this.Form.Controls.Add(identifierInput);
}
else
{
if (!string.IsNullOrEmpty(Request.Form["operate"]) && Request.Form["operate"] == "1")
{
if (this.Form != null)
{
//delete old form ,and then create new Form Post to reply
this.Controls.Remove(this.Form);
}
TestProvider provider = new TestProvider();
string userName = Request.Form["username"];
string password = Request.Form["password"];
string reply = Request.Form["reply"];
string identifier = Request.Form["identifier"];
string token = provider.CreateAuthToken(userName, password, "TestSSOServer", identifier);
Response.AppendCookie(new HttpCookie("TestSSO", "identifier+commonkey"));
if (!string.IsNullOrEmpty(reply))
{
HtmlForm f = new HtmlForm();
f.ID = "loginForm";
f.Method = "POST";
f.Action = reply;
f.EnableViewState = false;
HtmlInputHidden hidden = new HtmlInputHidden();
hidden.ID = "cookie";
hidden.Attributes.Add("value", token);
f.Controls.Add(hidden);
this.Controls.Add(f);
}

this.Response.Write("<script type='text/javascript'>var willReply = 1;</script>");
}
}
}
}
}

以上是Token颁发中心的公用Login页面的后台代码。

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="LoginPage.aspx.cs" Inherits="SingleSignOn.Server.LoginPage" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title></title>
<script type="text/javascript">
function submitNewForm() {
try {
if (willReply != null) {
this.loginForm.submit();
}

} catch (err) {
//donothing
}
}
</script>

</head>
<body onload="submitNewForm()">
<form id="loginForm" runat="server" action="#">
<div>
UserName : <input type="text" name="username" id="username" /><br />
Passoword: <input type="password" name="password" id="password" /><br />
<input type="submit" value="Submit" />
</div>
</form>
</body>
</html>

这一部分是Login页面的前台代码。

核心流程：

Client 需求登录-》重定向到STS的Login页面（附带数据接收地址reply与自身的identifier）-》STS验证凭据，并将结果Post到Reply页面，在POST之前，将STS的Token写入cookie以提供SingleSignOn功能-》Client解析STSPOST来的数据。

STS核心逻辑：

1.按照需求组装返回的数据和需要写在Cookie中Token，Token需要精心设计，否则真的是不安全的。

2.表单的置换，上述代码已经做了一些处理，但是可能会有不完善，只是个思路吧。