Single Sign on with 2 subdomains, one Java, one .NET

Question

I'm currently looking for a nice solution for the problem above. We'll probably run form authentication on the .NET one.

I have an ASP.NET MVC app running on a.mydomain.com and a Java based app running on b.mydomain.com.

What is the best approach so that I don't have to log in to each app. Say, when I log into the a.mydomain.com and then open the Java b.mydomain.com, and it will check and see that I'm already logged in?

Would the WCF AuthenticationService class work for this? Could I do an AJAX request from the JavaScript of b.mydomain.com to check if I'm logged in already in the .NET app?

Answer 1

As long as mydomain.com is not in the public suffix list ( http://publicsuffix.org/list/ ), a.mydomain.com can put a domain cookie for .mydomain.com

( note that you can only go down one level in putting cookie : a.b.mydomain.com can not put a .mydomain.com cookie )

The cookie will be sent to b.mydomain.com (as well as *.mydomain.com and mydomain.com) and can be used as a token to open a session. So be sure to control the whole *.myDomain.com subdomain and make it httpOnly and secured (https)

Response.SetCookie(new HttpCookie("myCookieName", "myCookieValue") { HttpOnly = true, Domain = ".myDomain.com", Secure=true });

Some parts of the Atlassian Crowd solution http://www.atlassian.com/software/crowd/overview are based on this cookie mechanism

So you might :

1. Enable forms authentication on a.domain.com
2. upon successfull login build a myToken cookie which value contains userId and hashed userId with hashing key known by a.myDomain.com and b.myDomain.com
3. set the cookie with domain .myDomain.com
4. when user enters b.myDomain.com, check the cookie server side (in java) for matching between userId and hashed value
5. if the cookie is correct, open session for user userId

Note that you won't be able to access the cookie client side (so no js cookie handling, except if it is server side js, for example nodejs)

Answer 2

Using a Java or .NET existing solution is not likely to function on the other platform. You need several capabilities:

1. Tracking the client with an identifier for recognition (session, cookie).
2. Have both the Java and .NET application be able to get the related information.

How can you do these?

1. This is actually quite easy. You're using the same domain so you can place a cookie on the browser for all domains, meaning that requests to a* and b* will both have the cookie sent to the server. Both Java and .NET have excellent facilities for cookie placement.
2. This is dependent on your back-end. What are the systems using for persistent storage? If you have something like a MySQL database which both systems are connected to, you can make a table with login information for each stored identifier for authentication. If you take this route, have some sort of time-out as well to invalidate old authentications.

If you have both those pieces of information, you can do the authentication on each system.

Answer 3

I recommend using one of enterprise sso protocols, Oauth2 or ws-federation. This gives you maximum flexibility in composing your services, you can not only federate these two but then, later, easily expand your application environment. Both protocols do not need apps to be on the same domain.

Although this could sound overcomplicated for your simple needs, you do it once and have the sso problem solved forever, no matter what happens in future to your applications.