ASP.NET OWIN - How to set the CookieDomain to make SSO work across a domain and its subdomains

Question

User1025234105 posted

I am trying to flow the asp.net authentication cookie from one MVC 5 website to another, on the same parent domain, using OWIN cookie authentication. I couldn't make it work on the real sites, so have created an isolated test solution with two web app projects, and hosted them locally in IIS 7.5 with hosts "owinauth" and "app2.owinauth" (both mapped to 127.0.0.1 in the hosts file). I have trawled the web the last couple of days and tried setting the CookieDomain property to ".owinauth" in my Startup file, giving both sites the same machine key and have tried custom CookieManagers/CookieProviders to set the cookie domain, but to no avail. Nothing seems to quite work. The cookie is never sent with the request to app2, but I also have experienced problems logging in to and out of the owinauth site when I set the CookieDomain. Different setups exhibit different issues.

So, could somebody in the know please be so kind as to explain the prerequisites for making sub-domain SSO work with OWIN? I would be very grateful. I would like to know which NuGet packages must be installed, and versions, the code required in Startup for both sites, any web.config changes, machine key pre-requisites, etc.

We also have a WebForms site on the same domain (different sub domain of course), which also uses OWIN authentication, on which we would want to implement the same SSO as the MVC apps. Are there any gotchas in that scenario too please?

Thanks in advance!

Answer 1

User614698185 posted

Hi hjjd,

Welcome to ASP.NET Forums!

In Startup.Auth.cs, you will see something like:

app.UseSignInCookies();

This replaced with the explicit configuration of the cookie auth:

app.UseCookieAuthentication(new CookieAuthenticationOptions {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login")
    });

The CookieAuthenticationOptions class has a CookieDomain property.

For more information about Single Sign On for cross-domain, please see:

http://www.codeproject.com/Articles/106439/Single-Sign-On-SSO-for-cross-domain-ASP-NET-applic

http://www.codeproject.com/Articles/114484/Single-Sign-On-SSO-for-cross-domain-ASP-NET-appl

Best Regards,

Candice Zhou

Answer 2

User1025234105 posted
Hi Candice, Thanks for the response, but I've seen all that I'm afraid, and the article relates to the pre-OWIN days.
I am trying to specify the cookie domain in the CookieAuthenticationOptions.

Answer 3

User614698185 posted

Hi hjjd,

If you want to share cookies for sso application, signing in will involve loading data and adding them as Claims into a new ClaimsIdentity. A Claim can be any name-value pair that will be associated with a particular user. The Owin cookie middleware will then encrypt that information and store it in a cookie. In subsequent requests, the middleware will decrypt the cookie to check if the user is currently authenticated. In the application, we will have the access to the Claims without needed to check the database with every request.

Please see:

https://blogs.msdn.microsoft.com/cdndevs/2015/02/18/evolving-asp-net-appscookie-authentication/

http://www.codeproject.com/Tips/438319/Sharing-Authentication-Cookie-between-two-ASP-NET

Best Regards,

Candice Zhou

Answer 4

User1025234105 posted

Hi Candice,

Thanks for replying again, but I'm afraid that's not my issue either. I have already set the ClaimsPrinciple, etc., and I can get the authentication cookie to flow to the other site if its set up as a child application of the main site - i.e. http://MainSite/ChildSite - and so they are on the same domain. However, what I want to do is have the child site on a different sub-domain, so that the url becomes http://ChildSite.MainSite.

The second article you posted is out of date. It doesn't work that way anymore. The way the documentation suggests one does it is by setting the CookieDomain property in the options in the OWIN Startup, thus:

app.UseCookieAuthentication(new CookieAuthenticationOptions 
    {
        AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
        LoginPath = new PathString("/Account/Login"),
        CookieDomain = ".MainSite"
    });

But it doesn't work. Do you see my problem?

Many Thanks,

Henry

Answer 5

User614698185 posted

Hi hjjd,

The second article you posted is out of date. It doesn't work that way anymore. The way the documentation suggests one does it is by setting the CookieDomain property in the options in the OWIN Startup,

You should use the same machineKey in the web.config. Please see:

http://www.alexboyang.com/2014/05/28/sso-for-asp-net-mvc4-and-mvc5-web-apps-shared-the-same-domain/

Best Regards,

Candice Zhou

Answer 6

User1025234105 posted

Hi Candice, please refer back to my first post - I've already tried setting the machine keys. Anyway, the cookie doesn't even get sent to the sub domain site from the browser, so the machine key issue won't have even come into play at that point (it's required when the sub domain site wants to decrypt the cookie, as I understand it).

Answer 7

User614698185 posted

Hi hjjd,

I think you should use Developer Tools(F12) to check your http message. And you should make sure the cookie domain is setting correct in your HTTP protocol.

Best Regards,

Candice Zhou

Answer 8

User1025234105 posted

Hi Candice,

That's how I know that the cookie is never sent with the request to app2. Sorry, I should have made it clear in the original question that the cookie domain is being set in requests to the main site, but the cookie is not being sent at all with the requests to the sub-domain site. So, for some reason, Chrome decides that the cookie domain ".owinauth" does not relate to requests for "app2.owinauth" and it doesn't send the cookie.

Regards,

Henry

Answer 9

User458742136 posted

Hi Hjjd,

Would you mind share us with your project code on github or dropbox?

Thanks.

Answer 10

User458742136 posted

Hi Hjjd,

Hope this blog could help you:

http://arunendapally.com/post/implementation-of-single-sign-on-(sso)-in-asp.net-mvc

Regards.

Answer 11

User1025234105 posted

Hi Ray,

Thanks for your responses. Unfortunately, the blog post you mentioned is not applicable to my scenario, as I am using OWIN authentication.

I'm afraid I can't post the actual code, but I will pull together an example solution and post it as soon as I can.

Many Thanks,

Henry

Answer 12

User1343519921 posted

Hi Hijjd,

I have the exact same issue that you are having.  Were you able to figure out a solution?

Answer 13

User1025234105 posted

Hi William,

I couldn't get the subdomain solution to work (i.e. www.site.com and www.sub.site.com), so I went for creating sub-applications instead. So I end up with www.site.com/sub. In case you don't know, this is just a case of right-clicking on the web app in IIS and selecting "Add Application".

OWIN startup in both parent and child sites is simply:

app.UseCookieAuthentication(new CookieAuthenticationOptions
            {
                AuthenticationType = DefaultAuthenticationTypes.ApplicationCookie,
                LoginPath = new PathString("/Account/Login"),
                etc...... whatever other settings you use
            });

To get this to work you MUST set the machine key to auto-generate in the main site, otherwise the sub-site won't be able to decrypt the auth cookie. You shouldn't need to set this in the sub site(s). The web.config is as follows:

<system.web>    

    <!-- This is ESSENTIAL to get the sub-app to read the auth cookie -->     

   <machineKey decryptionKey="AutoGenerate" validationKey="AutoGenerate" />   

</system.web>

The docs would have you believe that you can just set the CookieDomain property in the CookieAuthenticationOptions to make sub-domain authentication work. I tried endless combinations, following numerous suggested approaches, but the browser (tried Chrome and IE) refused to even send the cookie to requests for the sub-domain.

Hope this helps you!

Cheers,

Henry