Kentico CMS 7.0 Developer's Guide

Single sign-on

Single sign-on

Previous topic Next topic Mail us feedback on this topic!  

Single sign-on

Previous topic Next topic JavaScript is required for the print function Mail us feedback on this topic!  

Single sign-on is a feature which enables users to authenticate just once and then access multiple websites without the need to enter logon credentials again for each site. There are two ways how you can achieve this:

 

Single sign-on on the same main domain - this approach lets you configure single sign-on for multiple sites running on the same main domain (e.g. site1.example.com, site2.example.com, etc.) in the IIS. The sites need not be using Kentico CMS.

Single sign-on across different domains - this approach requires all websites to be running in a single instance of Kentico CMS, while they can use completely different domains.

 

The sections below describe necessary configuration for each approach.

 

Single sign-on on the same main domain

 

Single sign-on on the same main domain is supported in the following scenarios:

 

Forms Authentication

 

If you are using Forms authentication and you need to share user identity across applications that run on the same main domain while all of them use standard ASP.NET 2.0 Forms authentication, you need to ensure that:

 

1. All applications use the same user database or at least the same user names. You may need to integrate the authentication using a custom security handler.
 

2. The web.config file of all applications uses the same authentication cookie name and the path is set to "/":
 

<authentication mode="Forms">

 <forms name=".ASPXFORMSAUTH" path="/" ...="" />

</authentication>

 

3. The web.config file of all applications uses the same machine key. The machine key is not present in the web.config by default. You can generate is using various machine key generators that can be found on the Internet. Once you have a key generated, you can add it to the <system.web> section the following way:
 

<system.web>

 ...

 <machineKey validationKey="ABCD0708...." decryptionKey="DDFF8943...." validation="SHA1" />

 ...

</system.web>

 

4. If your applications run on different sub-domains, such as www.example.com and forums.example.com, you need to set the domain attribute of the authentication cookie to the main domain so that it's shared across domains:
 

<forms name=".ASPXFORMSAUTH" path="/" domain=".mywebsite.com" ...="" />

 

Windows Authentication

 

If you are using Windows authentication, the user identity is shared within the Windows domain. No additional configuration is required.

 

Single sign-on across different domains

 

Single sign-on across completely different domains in the same instance of Kentico CMS can be enabled by checking the Automatically sign-in user when site changes check-box in Site Manager -> Settings -> Security & Membership.

 

With this option enabled, no further configuration is necessary - users only need to enter their logon credentials once. After that, they can switch between different sites running in the CMS using the Site drop-down list in CMS Desk, without the need to enter their logon credentials for each domain.

 

devguide_clip1161

 

 

The single sign-on functionality is also achievable on your custom pages using Kentico CMS API. The following code example shows how you can authenticate a user with a particular username in your code:

 

[C#]

 

string userName = "testuser";

// Authenticates user with specified user name

CMSContext.AuthenticateUser(userName, false);

 

The second code example shows how you can generate a URL with a user authentication token. When a user accesses this URL, they are automatically authenticated.

 

[C#]

 

string userName = "testuser";

// Get user with specified user name

UserInfo userInfo = UserInfoProvider.GetUserInfo(userName);

// Get authentication URL for specified user and target URL

string url = AuthenticationHelper.GetUserAuthenticationUrl(userInfo, "/default.aspx");

// Redirect user to target URL and authenticate him

URLHelper.Redirect(url);