C# ASP.NET Single Sign-On Implementation

Asked 13/1, 2013 at 22:44 Answered 21/2 at 12:14

I am tasked with implementing single sign-on for our customers as part of our next release. The flow exists as follows:

User logs into their school's main portal system using a student id/password provided to him/her by the school.
User clicks the link to my company's product.
User is automatically taken to the dashboard page as if they had just logged in through the login form on our site.

Thus, there are two mechanisms by which a user can be authenticated into our site:

Coming to our product's home page, and logging in using the email/password that we store in our local system.
Using the single sign-on where the student has already logged into the school's main system with a student id and password.

If our product's implementation is in ASP.NET (as opposed to Java/Ruby), should we be using CAS, JOSSO, or some other third party single sign-on product? Or is there something available to a .NET environment which would be simpler for us as a .NET company?

Anurous answered 13/1, 2013 at 22:44 Comment(1)

If it's the Identifier Provider Initiated model, this article may help: IdP-Initiated asp.net web applications – Lanoralanose 26/12, 2014 at 4:18

There are multiple options to implement SSO for a .NET application.

Check out the following tutorials online:

Basics of Single Sign on, July 2012

http://www.codeproject.com/Articles/429166/Basics-of-Single-Sign-on-SSO

GaryMcAllisterOnline: ASP.NET MVC 4, ADFS 2.0 and 3rd party STS integration (IdentityServer2), Jan 2013

http://garymcallisteronline.blogspot.com/2013/01/aspnet-mvc-4-adfs-20-and-3rd-party-sts.html

The first one uses ASP.NET Web Forms, while the second one uses ASP.NET MVC4.

If your requirements allow you to use a third-party solution, also consider OpenID. There's an open source library called DotNetOpenAuth.

For further information, read MSDN blog post Integrate OpenAuth/OpenID with your existing ASP.NET application using Universal Providers.

Hope this helps!

Kilimanjaro answered 13/1, 2013 at 23:13 Comment(8)

Thanks for the help! I'm wondering though, aren't there already pre-existing single sign-on servers that I might use to do this instead of writing my own implementation? Like Yale's CAS or something? – Anurous 13/1, 2013 at 23:47

Another option to implement SSO for ASP.NET & MVC applications is: componentpro.com/saml.net – Pentose 8/12, 2014 at 20:17

Perhaps I'm missing something, but the first link seems fairly useless. You can just hack the query string to bypass authentication? – Undress 2/4, 2015 at 20:28

@Undress That was my thought too.. doesn't seem very secure to me? – Contemplation 9/4, 2015 at 12:44

I was thinking that same thing. No way that's how SSO SHOULD work! – Purl 23/12, 2015 at 17:14

That first link is pretty rough. For starters, wherever he says "real time" replace it with "real world". At the end he implies that the magic "IsAuthenticatedBySSO" in the query string should be replaced by using a SAML token, which would have been described in a follow-up article. Unfortunately (?) the user's account was closed because he was "abusive or is a troll". – Globuliferous 22/3, 2016 at 22:35

yes, first link is not much secure. with query string any one can type url with that parameter and can authenticate . – Bert 29/6, 2016 at 12:22

Your second link of GaryMcAllisterOnline is dead – Dudleyduds 4/10, 2021 at 10:58

I am late to the party, but for option #1, I would go with IdentityServer3(.NET 4.6 or below) or IdentityServer4 (compatible with Core) .

You can reuse your existing user store in your app and plug that to be IdentityServer's User Store. Then the clients must be pointed to your IdentityServer as the open id provider.

Saylor answered 19/10, 2016 at 15:2 Comment(0)

There are several Identity providers with SSO support out of the box, also some third-party** services.

** The only problem with third-party services is that they might charge per user/month, which can be pretty expensive.

Some of the tools available and with APIs for .NET are:

Auth0
IdentityExpress (with Admin UI) by IdentityServer
Centrify Identity Service
Okta Identity (SAML 2.0)
OneLogin

If you decide to go with your implementation, you could use the frameworks below categorized by programming language.

C#:

IdentityServer3 (OAuth/OpenID protocols, OWIN/Katana)
IdentityServer4 (OAuth/OpenID protocols, ASP.NET Core)
OAuth 2.0 by Okta

JavaScript:

passport-openidconnect (node.js)
oidc-provider (node.js)
openid-client (node.js)

Python:

pyoidc
Django OIDC Provider

I would go with Auth0 as a service, as it's free for the first 7000 users, supports many languages, and not much needs to be done. However, if you need a more robust, manage yourself, and cheaper solution, I would configure IdentityServer4 and ASP.NET Core application and add authentication providers as necessary.

Both Auth0 and IdentityServer4 solutions use OAuth/OpenID protocols, supporting also WS-Federation and SAML 2.0 integration.

Erving answered 23/1, 2017 at 17:17 Comment(0)

[disclaimer: I'm one of the contributors]

We built a very simple free/opensource component that adds SAML support for ASP.NET apps https://github.com/jitbit/AspNetSaml

Basically it's just one short C# file you can throw into your project (or install via Nuget) and use it with your app

Baculiform answered 16/4, 2020 at 18:18 Comment(3)

Thanks a lot man. After 7days of headbanging, on the entire web, this is the simplest solution I have found. Thanks again. – Capture 3/9, 2021 at 18:33

@MalikKhalil You're very welcome! Yes, I went through the same headbanging myself, it was the reason I wrote this lib. – Baculiform 3/9, 2021 at 18:44

The best thing on this is that it gives you the most fundamental idea of how that SAML thing actually works. Thanks a milion for the simplest source code possible! – Find 26/11, 2021 at 0:52

UltimateSAML SSO is an OASIS SAML v1.x and v2.0 specifications compliant .NET toolkit. It offers an elegant and easy way to add support for Single Sign-On and Single-Logout SAML to your ASP.NET, ASP.NET MVC, ASP.NET Core, Desktop, and Service applications. The lightweight library helps you provide SSO access to cloud and intranet websites using a single credentials entry.

Detailed UltimateSAML SSO review can be found here

Superdominant answered 1/7, 2018 at 8:59 Comment(0)

I was also looking for the same where my members will get auto access to my learning platform (.NET site) if they are already logged into my membership portal. I found a few that worked for me, below I’ve listed them. You might find it helpful.

Yonne answered 21/2 at 12:14 Comment(0)

Recommended topics

Hot tags