none
Single Sign on - C#/C++ .Net NON-web application RRS feed

  • Question

  • Hi there,

    We have a client/server .Net application.  The client talks to the server over a SSL/TCP socket. The server maintains a user table to authenticate and authorize the user access.  Right now, we are looking to integrate Windows credential to allow user to sign on the server through the client without supplying their credential again.  I have read pieces of information about SSO (ADFS, Kerberos, SAML, SSPI, claim based authentication, etc), but I have not been able to string them together for a feasible solution. 

    So far, it seems that I have two options: 

    1. Implement a SAML client proxy,  somehow it passes the Kerberos token to ADFS, obtain a SAML assertion and then pass it to the server.  (We are looking to implementing SAML on the server side.) But this looks fairly involved.  Would love to know if there is any library already available to achieve this, so I don't need to talk to ADFS directly?

    2. Use SSPI pass Kerberos token to the server, the server impersonates the client, make a connection to ADFS, get the rules and determine if the user is authorized.  I don't even know if this is the way to go.  If so, I need more specific information about implementing this.  If not, please give me some pointers. 

    How does people usually resolve this kind of problem? 

    Thanks in advance,

    HZ
    Tuesday, August 6, 2013 1:34 PM

Answers

  • Hi,

    First please try to refer to the following articles to see if it helps.

    #Single Sign On with WCF:
    http://aspguy.wordpress.com/2011/07/30/single-sign-on-with-wcf-and-asp-net-custom-membership-provider/ .

    #Building a Single Sign On Provider Using ASP.NET and WCF:
    http://www.developmentalmadness.com/2009/07/building-single-sign-on-provider-using.html .

    Then it will be another choice, please try to go for Shibboleth, its open source implementation of SAML. Its proper implementation of SSO. There will be an Identity Provider and a Service Provider for each of your web app. The request is sent to Identity Provider from Service Provider and Identity Provider is responsible for authenticating and authorizing the users on all domain if a user logs in on some domain. 

    There are plenty of third party SSO solutions available but i'll recommend Shibboleth , you just need to configure it properly and thats all. Moreover, its Open Source solution.

    #Shibboleth:
    http://shibboleth.net/ .

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    Best Regards.
     


    Amy Peng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.





    Monday, August 12, 2013 9:46 AM
    Moderator
  • They go to the WCF wizard in Visual studio using dotNet4.5, download the I&A tool to the IDE, which duly configures SSO for web services by inducing the client to first talk to ADFS.
    Tuesday, August 6, 2013 7:45 PM

All replies

  • They go to the WCF wizard in Visual studio using dotNet4.5, download the I&A tool to the IDE, which duly configures SSO for web services by inducing the client to first talk to ADFS.
    Tuesday, August 6, 2013 7:45 PM
  • Thanks for the reply, Peter.  Would you give me more information? 

    1. My client talks to the server using WinInet library - pretty low level.  It is not Web Services.  Is the I&A tool still applicable? 

    2. Is there a library enable the client to send a Kerberos RST to STS (ADFS in my case) and receive the SAML token back?  It appears that WSTrustChannelFactory and WSTrustChannel might able to do so.  Does it?  Is there a better way? 

    3. Assuming the client has the SAML token, how can I pass it to the server using winInet HTTP client? 

    Please point me to the right direction. 

    Thanks,

    HZ


    • Edited by H Zeng Wednesday, August 7, 2013 3:02 PM
    Wednesday, August 7, 2013 2:51 PM
  • Hi,

    First please try to refer to the following articles to see if it helps.

    #Single Sign On with WCF:
    http://aspguy.wordpress.com/2011/07/30/single-sign-on-with-wcf-and-asp-net-custom-membership-provider/ .

    #Building a Single Sign On Provider Using ASP.NET and WCF:
    http://www.developmentalmadness.com/2009/07/building-single-sign-on-provider-using.html .

    Then it will be another choice, please try to go for Shibboleth, its open source implementation of SAML. Its proper implementation of SSO. There will be an Identity Provider and a Service Provider for each of your web app. The request is sent to Identity Provider from Service Provider and Identity Provider is responsible for authenticating and authorizing the users on all domain if a user logs in on some domain. 

    There are plenty of third party SSO solutions available but i'll recommend Shibboleth , you just need to configure it properly and thats all. Moreover, its Open Source solution.

    #Shibboleth:
    http://shibboleth.net/ .

    This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.


    Best Regards.
     


    Amy Peng
    MSDN Community Support | Feedback to us
    Develop and promote your apps in Windows Store
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.





    Monday, August 12, 2013 9:46 AM
    Moderator