2

I need to develop a "single sign on" authentication between three ASP.NET applications and one Delphi ISAPI application.

Participants of scenario:

  • UI asp.net application - it does make calls to the WS application
  • BI asp.net application
  • WS isapi module which contains soap services written in Delphi. (can talk with LDAP)

Additional info/constraints:

  • WS application can talk with LDAP but that could be modified/extended.
  • WS application performs (or not) business logic basing on a user identity.
  • ADAM is a must (?) because there's a need of separate user container for every application instance (some kind of multi-tenant solution).
  • Forms authentication is highly demanded.

My current idea is to use AD or ADAM as a user container. Use a form authentication and share a membership provider (http://msdn.microsoft.com/en-us/library/eb0zx8fc.aspx) between ASP.NET applications. Impersonate both ASP.NET applications (http://stackoverflow.com/questions/1066275/impersonate-using-forms-authentication) and then call a WS from UI application.

However, I don't know how to pass (and recive) the user identity (credentials?) on the side of WS module. Could that be handled by IIS somehow (and ADAM?) Probably they will use a HTTP digest or basic authentication. I'd be thankful for any information and advices how to make this work.

krlm
  • 817
  • 7
  • 18
  • ADAM is now [Active Directory Lightweight Directory Service (AD LDS)](http://en.wikipedia.org/wiki/Active_Directory#Lightweight_Directory_Service). Why is it a 'must'? (to use a "lightweight" implementation of AD) - do you want to run multiple AD LDS instances on the same server? – mjn Nov 18 '12 at 14:33
  • @mjn: Thanks for hint. I need to separate customer accounts, it's a multi-tenant solution. I'm not sure if multiple instances of AD LDS are necessary. Anyway, does it change something in my problem? – krlm Nov 19 '12 at 07:57

1 Answers1

0

However, I don't know how to pass (and recive) the user identity (credentials?) no the side of WS module.

According to http://www.mombu.com/microsoft/microsoft/t-iis-60-single-sign-on-isapi-filter-14103802-last.html there is an AuthFilter example with source code in the Platform SDK.

This solution seems to be built around authentification Cookies, which can be passed between IIS servers.

If this Single Sign On example can be applied to your ISAPI application, it should be possible to pass the authentification Cookies from ASP.NET to the ISAPI side too.

(I am not an expert in this area, this suggestions is based on the first research results found in the web.)

mjn
  • 36,362
  • 28
  • 176
  • 378