2

I want to log on to two sites simultaneously to enable a single sign on solution. We have a smallish wiki that is created with Apple wiki and we have an intranet site on a aspx cms system by Elcom. Both use Active Directory for credentials.

Currently they are on different domains, but we could enable a rewrite using our load-balancer (Citrix Netscaler) or IIS. These sites are on different servers, one a mysterious Mac system and the other an IIS v6.0 on windows 2003.

Now I am almost certain that a reverse proxy set up will solve this but I really just need someone to agree that this solves this issue, and if there are things I should look out for what they might be. I just want to have an invisible log on screen in an iframe and enter clone the user name and password using javascript.

James Wakefield
  • 526
  • 3
  • 11
  • Is this a better question: How do I simulate a reverse proxy using fiddler? currently I have staff.mycompanyintranet.com [publicly accessible] and wiki.crazyinternalname.now [privately accessible] I want wiki.crazyinternalname.now to be accessed by staff.mycompanyintranet.com/datadictionary/ and I need JSON that has many urls embeded in it and links from the wiki site to be fixed. the json file has many urls that look like this `{"staticImagePathAt2x":"\/__wiki\/coreclientbase\/stylesheets\/wikieditor\/img\/serverhome\/serverhome_wikis@2x.png"}` – James Wakefield Aug 25 '14 at 05:56
  • You should open a new question to ask that. – Kijewski Aug 25 '14 at 12:56

2 Answers2

0

If you do not only use the client IP to verify that a user is who they claim to be, then it matters little if your domains are operating on the same server. The browser simply won't share a cookie across domains.

Once the user browses to a page that needs authentication, then the SSO needs to be queried by some mechanism.

I solved this problem by using OpenID -- with the provider being statically set, and the user not noticing that OpenID is being used. The only difficult part is setting up a provider, since OpenID is a mess. The bright side is that this will work on any number of relying parties (in your case, read: domains) easily and transparently.

See "dotnetopenid", which is used by StackExchange on their sites. Probably it can't be all bad.

Kijewski
  • 25,517
  • 12
  • 101
  • 143
  • OpenID is really not for this. OAuth is; but not OpenID. – George Stocker Aug 25 '14 at 04:49
  • @GeorgeStocker, it works. Do I need to say more? – Kijewski Aug 25 '14 at 04:50
  • It works in the same way you can use a hammer on a screw -- but neither are meant to be used together. – George Stocker Aug 25 '14 at 04:51
  • So you say. Fact is that there are good relying party libraries for OpenID for just about every language, only setting up a provider is difficult. You can easily set your services as accepted, and reject everything else. Using Oauth would not make anything easier. – Kijewski Aug 25 '14 at 04:57
  • OpenID is for logging on from one site to another without having to create credentials on that second site. That's what it's for. Its purpose was to keep people from being in the identity management business. Not what the OP is looking for here. OAuth, et. al, are a way to securely say, "Person who logged in to site X is authorized to use those same credentials to log into site y, and when you communicate with site X, use those credentials instead of a username/password." See also: http://stackoverflow.com/questions/1087031/whats-the-difference-between-openid-and-oauth – George Stocker Aug 25 '14 at 14:47
  • Yes, still it works like a charm. "OpenID is about authentication, OAuth is about authorisation" -- and authentication is what OP is looking for. You might call it an abuse of the idea, but sometimes a hammer works well enough to pin in a screw. – Kijewski Aug 25 '14 at 15:09
  • I just noticed that autodesk.com uses this method, too. – Kijewski Aug 27 '14 at 07:39
0

If your two sites share the same domain say intranet.yoursite.com and wiki.yoursite.com, you can use the same authorization cookie on both of them. Just make sure the cookie set by one site is understood by the other site. If both sites use ASP.NET, make sure they share the same machine key.

If these two sites are completely two different domains, OpenID is an option. There is another way if you don't want to use OpenId: after the user log on site A, site A can redirect the user to site B with an authentication token in URL that can only be understood by site B. Site B can decrypt the token and then log the user on.

Adamy
  • 2,789
  • 3
  • 27
  • 25