Single Sign On and Custom authentication

Vote:
 
We are currently building a Proof of Cocept (PoC) for one of our clients which involves integrating both Community Server and MediaChase eCommerceFramework. The good news - we've successfully been able to include content within an EPiServer site from both products! (Was there ever any doubt?) Both apps are .NET apps. The part we are uncertain of how to attack is how to best handle single sign on (SSO) between all three applications. We wish to use EPiServer for the authentication, but want to pass authentication via cookies to the other two applications. One issue we are concerned about is that the Community Server app will likely be running on a different subdomain. How can we extend the EPiServers current Authentication handler (or hook into it's events) to do what we need it to do? Am I barking up the wrong tree? Should we be attempting this another way? All help greatly appreciated. Cheers.
#12826
Mar 25, 2008 18:35
Vote:
 
As always, it depends. SSO is not trivial - as you undoubtedly know. The extensible authentication chain in EPiServer can be used to authenticate users in other systems, and give them roles in EPiServer based on information in the other system. Making another system recognize a login done in EPiServer is another ballgame. I think I've read that Community Server has a provider based authentication system, and/or can also run securly as long as the HttpContext.User is set to an authenticated user. If you can manage to get community server to run in the same (web) context as EPiServer, this might actually work. You can then create groups in EPiServer with the same name as the roles Community Server uses to grant access to the forums etc. The version I've used uses IsInRole to check access rights, and that would be ok if the user is an EPiServer extranet user. Another option is to rewrite the login logic slightly, and create a domain wide cookie of some sort, and do something with this in the other applications, if they run in different contexts. An httpmodule that checks the cookie, and logs you into Community Server automatically is one option. Beware not to create any unintentional backdoors or gaping security holes in the process :-) /Steve
#14948
Mar 25, 2008 18:46
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.