SharePoint 2010 Claims based authentication: Single Sign on between web applications

Question

Hi all,

 

I have two SharePoint Web applications, info is as below:

1. http://mysrv:8001/

2. http://mysrv:8002/

I used claims based authentication for the web apps. Is there any way to login one but stay logged in across all sites?

 

Thanks in advance,

Hai

 

Answer 1

Not really, when the STS gets wa=wsignout1.0 the cookie is no longer valid; however, SharePoint does not sign-out properly (see:  http://social.msdn.microsoft.com/Forums/en/sharepoint2010setup/thread/4556a19a-6981-40db-b644-27188e066a0a) so it will be possible for one site to be signed-out while access to the other site is possible for a limited time.

Also check out:  http://blogs.technet.com/b/speschka/archive/2010/08/09/setting-the-login-token-expiration-correctly-for-sharepoint-2010-saml-claims-users.aspx

 

Answer 2

My need is when I login to site 1, and then open the site 2, i do not need to login again. Please help.

 

Thanks,

Hai

Answer 3

Yes, that is how the Trusted Identity Provider should work using (WIF); however, SharePoint does not perform the proper redirects (http://social.msdn.microsoft.com/Forums/en-US/sharepoint2010general/thread/7f4f13a8-6f22-40b4-a71d-5ea3c9c1a5fe/#fd2dfe40-dff7-418d-9d8a-aaa825f53556), at least using SharePoint 2010 RTM.  I will be testing Feb 2011 CU shortly to see if this has been fixed.  The STS is the SSO for all sites that trust it.

Answer 4

Dear  MULTISY,

 

Thanks so much for your response. I am a beginner with Claims Based Authentication in SharePoint 2010. It would be great if you guide me how to setup single sign on for the sites.

My scenario is: I have two sites (http://mysrv:8002/ and http://mysrv:8003/). They are in different web applications. The requirement is: If I logged in to site 1, then the current credential is valid for site 2. So user won't be asked to login again.

 

Thanks very much in advance!
Hai

Answer 5

Here's were I started some 6 month ago:  http://msdn.microsoft.com/en-us/library/ff955607.aspx

This guides you through creating your own IP-STS (Trusted Identity Provider).  I was able to get SSO to work navigating between SharePoint an other web applications, but using this for different web applications in the the same SharePoint farm resulted in endless redirects to STS.  The other web applications worked because you will need to code the WIF yourself to work with the IP-STS; your stuck when SharePoint doesn't work.

I have since given up on using a custom IP-STS, and opted to use a Custom ClaimProvider (internal to SharePoint) for generating claims.  Two major reasons is WSP Deloyment (/w granular control of the PickerEntity the People Picker) & independent of authentication.  The generated claims are simply based upon however the user signed in.  This solution only works if using SharePoint sites.

Of course there is ADFS 2.0; I would recommend this if you need SSO for non-Claims aware applications; because ADFS can create window tokens; which is actually pretty cool.

At least SharePoint 2010 gives you far more options than before.

Answer 6

Hi MULTISY,

 

I've tried the solution so far it works. I have an issue related to configure the Trusted Identity Provider for multiple web application. I've use the window form app, see the code below:

SPSecurityTokenServiceManager manager = SPSecurityTokenServiceManager.Local;
      SPTrustedLoginProvider provider = new SPTrustedLoginProvider(
                                    manager,
                                    "WingtipSTS",
                                    "WingtipSTS",
                                    new Uri("http://localhost:48924/WingtipSTS/default.aspx"),
                                    "http://haitt-sps:9090/_trust/",
                                    strClaimMapping.ToArray(),
                                    idClaim);

I want to apply to application on port 9091 but I don't know how. I've tried by using ProviderRealms property. But It doesn't work.

Please advice.

 

Thanks so much,

Hai

Answer 7

Hi Folks

I am struck up with an issue

We have configure the trusted identity provider successfully and we are getting login page  and redirect to sharepoint site after authentication this works only with the "Local" when we open the site in other than the local we are getting error like website cannot find.

Thanks in Advance

---

Praveen

Answer 8

This problem could be related to the BackConnectionHostNames.

Search the topic, it could be the fix you are looking for.