ASP.net : Single Sign On using Forms Authentication

Lately I have been asked to implement SSO on all upcoming web applications on a division in my company. As the name implies the user will only login once and have him jump from another application without prompting for a username and password. Using Forms Authentication of asp.net means each application will be generating an authentication ticket, and using this ticket for SSO would be easier since the framework will taking care a lot of things for us.

Here are the steps to implement SSO.

1. Override the Machine key validation and decryption key.

By default each application authentication ticket will be generated using a different validation and decryption key. Since we need to have a single ticket for the applications we will need to have the same keys for each applications under SSO. We can specify the keys by adding the following entry on each application web.config.

<machineKey validationKey="1555CBC4DE7791EA223E"
decryptionKey=" D1CB403BD1EE413909EF" validation="SHA1" />

2. Have the same forms name in your forms authentication entry.

Each application will have to point on the same authentication ticket. To do this we just need to have the same forms name. This is assuming you will be implementing a parent child virtual directory setup on your IIS.

<authentication mode="Forms">
<forms name=".SSOAuth" protection="All" timeout="60" loginUrl="login.aspx"/>
<authentication/>

Take note that the way you deploy your applications on your IIS server will affect how they can view the authentication ticket. Since authentication ticket is cookie based you just need to specify the same location for your cookie so SSO applications can share the same ticket.