Single sign-on is a feature which enables users to authenticate just once and then access multiple websites without the need to enter logon credentials again for each site. There are two ways how you can achieve this:
•Single sign-on on the same main domain - this approach lets you configure single sign-on for multiple sites running on the same main domain (e.g. site1.example.com, site2.example.com, etc.) in the IIS. The sites need not be using Kentico CMS.
•Single sign-on across different domains - this approach requires all websites to be running in a single instance of Kentico CMS, while they can use completely different domains.
The sections below describe necessary configuration for each approach.
Single sign-on on the same main domain is supported in the following scenarios:
If you are using Forms authentication and you need to share user identity across applications that run on the same main domain while all of them use standard ASP.NET 2.0 Forms authentication, you need to ensure that:
1. All applications use the same user database or at least the same user names. You may need to integrate the authentication using a custom security handler.
2. The web.config file of all applications uses the same authentication cookie name and the path is set to "/":
<forms name=".ASPXFORMSAUTH" path="/" ...="" />
3. The web.config file of all applications uses the same machine key. The machine key is not present in the web.config by default. You can generate is using various machine key generators that can be found on the Internet. Once you have a key generated, you can add it to the <system.web> section the following way:
<machineKey validationKey="ABCD0708...." decryptionKey="DDFF8943...." validation="SHA1" />
4. If your applications run on different sub-domains, such as www.example.com and forums.example.com, you need to set the domain attribute of the authentication cookie to the main domain so that it's shared across domains:
<forms name=".ASPXFORMSAUTH" path="/" domain=".mywebsite.com" ...="" />
If you are using Windows authentication, the user identity is shared within the Windows domain. No additional configuration is required.
Single sign-on across completely different domains in the same instance of Kentico CMS can be enabled by checking the Automatically sign-in user when site changes check-box in Site Manager -> Settings -> Security & Membership.
With this option enabled, no further configuration is necessary - users only need to enter their logon credentials once. After that, they can switch between different sites running in the CMS using the Site drop-down list in CMS Desk, without the need to enter their logon credentials for each domain.
The single sign-on functionality is also achievable on your custom pages using Kentico CMS API. The following code example shows how you can authenticate a user with a particular username in your code:
string userName = "testuser";
// Authenticates user with specified user name
The second code example shows how you can generate a URL with a user authentication token. When a user accesses this URL, they are automatically authenticated.
string userName = "testuser";
// Get user with specified user name
UserInfo userInfo = UserInfoProvider.GetUserInfo(userName);
// Get authentication URL for specified user and target URL
string url = AuthenticationHelper.GetUserAuthenticationUrl(userInfo, "/default.aspx");
// Redirect user to target URL and authenticate him