The user clicks a formulated login link and he or she is
sent to the authentication site. This link contains a QueryString parameter ReturnUrl that represents the landing page of a third party
site to which the user will be redirected after being successfully
authenticated. The login link looks like:
http://www.AuthenticationSite.com/login.aspx?SiteID=1&
ReturnUrl=http://www.ThirdPartySite.com/LandingPage.aspx?
Paramter1=xxx&Parameter2=yyy
SiteID is a parameter that the authentication site uses to
determine web page presentation style as well as data transfer logic (what
stored procedure to use for delivering data to a third party site). Parameter1
and Parameter2 are a part of the ReturnUrl and are used
by the third party site for its own purposes. The ReturnUrl
should be UrlEncoded so that the whole string including parameters and any
preserved characters like “?,” “=,” “&” is treated as one single parameter as
the following:
http://www.AuthenticationSite.com/login.aspx?SiteID=1&
ReturnUrl=http%3a%2f%2fwww.Third+PartySite.com%2fLandingPage.aspx%3f
Paramter1%3dxxx%26Parameter2%3dyyy
The authentication site first obtains the SiteID and the ReturnUrl
from QueryString and then presents the user, based on the SiteID, with a login
page that has a graphic presentation similar to the third party site. The user
enters his username and password, and clicks the login button. Upon a
successful authentication, the application retrieves the user’s identity from the
database and builds a securely encrypted url QueryString parameter, EncryptedData, that includes UserID, ExpirationDateTime and
SiteID (more can be added as needed). It then appends it to the end of the ReturnUrl. The ReturnUrl now looks
like:
http://www.ThirdPartySite.com/LandingPage.aspx?Paramter1=xxx&Parameter2=yyyy&
EncryptedData=RD69usAsVDrAwr3Sa8jyO9FNRmgcuyM9o3WamQ/eeDufMQZgooqn0pw+aEXEsOzs5K1a
Q3Y63RNAj8dWwrj4Yf+poMm94Jp8CO72YgyNXMJgBtzopeQcahNZXQAkry0iEDE7dgE+TUHmE1tDb3C32U
J3t+69A/aKj5cu7Kcg1G9csk6ZbKD/E73UZ89W/7mN
The user is then redirected to the landing page of the third
party site using the above ReturnUrl. The EncryptedData should be UrlEncoded.
At the third party site, the landing page grabs the
parameter EncryptedData from QueryString and calls an authentication
web service with it. The web service decrypts the parameter and checks the expiration
date. Successful decryption with a valid expiration date signifies that the
user has been authenticated. The web service then retrieves a complete set of
user data from database using a stored procedure determined by the SiteID and
returns the data to the third party application. The landing page
inserts/updates user data in its own database and performs necessary actions to
programmatically log the user into its system.
To illustrate how the cross site authentication works, I have
prepared a demo application for download. The solution contains two web sites.
One is the CrossSiteAuthentication that provides a login interface to
authenticate users as well as a web service for a third party to consume. The
other is the ThirdPartySite that simulates a third party service provider site.
Although both sites are in the same solution and run on local machine, the
methodology is applicable to any third party site located at a remote location.
To run the demo, you will need Sql Server 2005 Express
Edition (make sure that the service is running. It may be
necessary to test its connection from Server Explorer in Visual Studio 2005)
and Microsoft Enterprise Library – January, 2006. The enterprise library is
used for data access and cryptography. Since the security key for cryptography
is machine dependent, you will need to create a key using Enterprise Library
Configuration Utility that comes with the library installation. Use the
following steps to create a key.
·
Start Enterprise Library Configuration Utility (under Start – All
Programs, Microsoft Patterns & Practice, Enterprise Library – January
2006).
·
Right click on Enterprise Library Configuration root item and
select New Application. Right click Application Configuration (a newly created
item below the root), and select New, Cryptography Application Block. Right
click Symmetric Providers and select New, Symmetric Algorithm Provider. In the
dialog box that comes up, select TripleDESCryptoServiceProvider (This is the
one I used. Others should all be fine.). In the key wizard dialog box, select
Create New Key and click Next. Enter some text and click Generate, Next. Give a
name (I used tripleDES.key) and save it to the CrossSiteAuthentication application
folder (can be saved anywhere). Click Next, select Machine mode and click
Finish.
·
Open web.config file in CrossSiteAuthentication application and
change the element protectedKeyFilename inside symmetricCryptoProviders to the
path where you saved the key.
In Visual Studio 2005, open the solution. Expand the
ThirdPartySite tree, right click on the LandingPage1.aspx and select View in
Browser. When the page appears, click “Check Authentication Status” button. You
will see that the user is not authenticated. Close the browser. This action is
to make the ThirdPartySite accessible by starting its local web server since it
is a file-system based application. Expand the CrossSiteAuthentication tree.
Right click Default.aspx page and select View in Brower. Two links are shown on
the page. Looking at the HTML code for these two links, you will see that one
has a ReturnUrl that points to Third Party #1 web site and another to Third
Party #2 web site. In the demo they are not really two sites, but two pages in
the ThirdPartySite application, LandingPage1.aspx and LandingPage2.aspx. Please
check the port number in the links and make sure it is a correct number for the
ThirdPartySite application.
Click the link "Third Party #1 Web Site," the login.aspx
page shows up with a header image and header text of Site1. Enter the user
name: johnd and pw: password (or janed/password, there are only two users in
customer table), and click the Login button. You are authenticated and are
redirected to the LandingPage1.aspx in the ThirdPartySite. The landing page calls
web service and pulls out John Doe’s data, and programmatically logs John into
the ThirdPartySite. Click the “Check Authentication Status” button. This time
you will see that user is authenticated. If you change the
"EncryptedData" in the Url or leave the page open for over a minute and
then refresh the page, you will see a message indicating decryption failed or
url expired.
Repeat the above steps with the Third Party #2 Web Site link
on the default.aspx page (you will see a different header image and header
text) and then you are redirected to the LandingPage2.aspx after being
authenticated.