locked
how to set up single sign on that use same live Id for azure app and custom app RRS feed

  • Question

  • I have a azure hosted web-page (say employee portal page) that uses live ID auth. this is an aspx It works fine.

    I have another cloud app (company app) that uses live ID to authenticate user - the application uses SQL database to store and maintain employee and application related information.  All is working good. it's not an aspx app per say. 

    Sometimes, we have the need to create custom web-pages for specific user to extend "company app" functionality. its bit limited in scope as far as what complex queries we can do and how we can display the query results in a more interactive manner.  hence a need to build custom web-pages 

    the custom web-page works fine. ie. user A can login using Live ID and perform additional operations and see the results in the gridview etc.,  I am using azure live ID auth mechanism to first authenticate the user and then run a check against SQL database to see if this user has the necessary permission to access this web-page.  That's where I need some help. 

    (so far, I had to hardcode a connection string in the web.config file with an admin user account, and use this user account to connect to SQL database, query the user table and check if the logging user A).  I read somewhere in the blog that I could use Live Connect SDK to establish a Single Sign On. i.e, say the following sequence of activity: 

    1) User A login to Company app - say www.abc.com/myapp using live ID xyz@live.com 

    2) User A go to custom web-page www.myazure.cloudapp.net -> enter the same live ID; 

    Here, when the user A complete the step A, and when he access step 2, I would want him to automatically login to azure app, since the login is the same Live ID.  How could I achieve this? 

    Another valid business case: the company app allows us to put a link or iFrame if you will, that can host the azure page within the Company application - say in one of it's page.  So it will be awkward for the user to re-enter the login credentials again.  Offcourse, when the user click on the link or iFrame, it takes the user to another browser to display the azure page. 

    Any thought on how I can do this, will be very helpful. Thank you. 

    Wednesday, July 25, 2012 12:45 PM

Answers

  • Hi,

    First of all let me restate the problem to see if i understood it correctly.

    1) First application runs on windows live id authentication

    2) Your cloud application also runs on live id authentication.

    When user logs in to first application and navigates to second application you would want to let the user access your second application (cloud application) without asking for user credentials again.

    If my understanding is correct, let me explain you.

    I believe your first app is running in some environment and second app is in cloud (azure). Practically they are two different applications running in different envrionments.

    If you want to enable single sign on between these applications they must share the user credentials so that user can login into any of the applications and seamlessly access other application.

    One approach if  your first application and second application are using the same authentication mechansim with windows live id single sign on is out of box experience as long as user is navigating with in the same browser (windows live id creates session cookies).

    If one application is integrated with windows live id say open id way and your cloud application is using ACS to authenticate with windows live id, still SSO is possible as long as user is navigating with in the same browser.

    How it works is, when user logs in to your first application, it redirects user to windows live id page and after user logs in login.live.com creates a session cookie. When your user navigates to second application when it redirects to windows live login page, if second application is also using the same approch as first application then automatically login.live.com recognizes session cookie and redirects back to the application with user information. Other case also if second application is using say ACS, ACS would redirect the user to login.live.com and again it recognizes session cookie and without asking for creds again it issues tokesn to ACS and ACS provides tokens to second app.

    In any SSO scenario, without sharing some common store SSO is not possible. Many SSO scenarios are achieved with SAML/WS Fed way. in this approach the common store for sharing user info is fed cookies created by STS or IDPs.

    in classic way, authentication providers create their own cookies to recognize the user and without asking for creds again they share the same information with other app. Even in case of Live SDK also it's the same approach and simple concept :-).

    If you can give me the design / architecture your authentication model you used for your applications i can help you with any suggestions.



    Please mark the replies as Answered if they help and Vote if you found them helpful.

    • Proposed as answer by Veerendra Kumar Friday, August 3, 2012 8:22 AM
    • Marked as answer by Iric Wen Sunday, August 5, 2012 11:03 AM
    Wednesday, August 1, 2012 2:06 PM

All replies

  • Anyone helps?

    Monday, July 30, 2012 1:41 AM
  • I'm afraid this thread is off-topic in this forum.

    For you requirement, post this thread to the forum which relates to windows azure is better.

    Tuesday, July 31, 2012 6:19 AM
  • Hi,

    First of all let me restate the problem to see if i understood it correctly.

    1) First application runs on windows live id authentication

    2) Your cloud application also runs on live id authentication.

    When user logs in to first application and navigates to second application you would want to let the user access your second application (cloud application) without asking for user credentials again.

    If my understanding is correct, let me explain you.

    I believe your first app is running in some environment and second app is in cloud (azure). Practically they are two different applications running in different envrionments.

    If you want to enable single sign on between these applications they must share the user credentials so that user can login into any of the applications and seamlessly access other application.

    One approach if  your first application and second application are using the same authentication mechansim with windows live id single sign on is out of box experience as long as user is navigating with in the same browser (windows live id creates session cookies).

    If one application is integrated with windows live id say open id way and your cloud application is using ACS to authenticate with windows live id, still SSO is possible as long as user is navigating with in the same browser.

    How it works is, when user logs in to your first application, it redirects user to windows live id page and after user logs in login.live.com creates a session cookie. When your user navigates to second application when it redirects to windows live login page, if second application is also using the same approch as first application then automatically login.live.com recognizes session cookie and redirects back to the application with user information. Other case also if second application is using say ACS, ACS would redirect the user to login.live.com and again it recognizes session cookie and without asking for creds again it issues tokesn to ACS and ACS provides tokens to second app.

    In any SSO scenario, without sharing some common store SSO is not possible. Many SSO scenarios are achieved with SAML/WS Fed way. in this approach the common store for sharing user info is fed cookies created by STS or IDPs.

    in classic way, authentication providers create their own cookies to recognize the user and without asking for creds again they share the same information with other app. Even in case of Live SDK also it's the same approach and simple concept :-).

    If you can give me the design / architecture your authentication model you used for your applications i can help you with any suggestions.



    Please mark the replies as Answered if they help and Vote if you found them helpful.

    • Proposed as answer by Veerendra Kumar Friday, August 3, 2012 8:22 AM
    • Marked as answer by Iric Wen Sunday, August 5, 2012 11:03 AM
    Wednesday, August 1, 2012 2:06 PM