4 Replies - 652 Views - Last Post: 19 April 2019 - 12:36 PM

#1 fearfulsc2   User is offline

  • D.I.C Regular

Reputation: 16
  • View blog
  • Posts: 281
  • Joined: 25-May 16

Windows Authentication SSO across applications

Posted 10 April 2019 - 08:06 AM

Hi everyone,

I am able to create an application and use Windows Authentication to Authenticate and Authorize users based off of their Active Directory groups/roles.

I am able to do that for single applications that do not talk to other services.

I want to be able to Authenticate myself on one application and carry over those credentials to another application.

I was thinking I could create an Authenticator application and give the user a token and then use that token to have the user's credentials and pass it into the HTTP header when I make an api call to another application.

I was not able to do that yet.

Has anyone worked on something similar to that before and might be able to help? I am using .NET Core 2.1 by the way.

Is This A Good Question/Topic? 0
  • +

Replies To: Windows Authentication SSO across applications

#2 DarenR   User is offline

  • D.I.C Lover

Reputation: 634
  • View blog
  • Posts: 4,218
  • Joined: 12-January 10

Re: Windows Authentication SSO across applications

Posted 10 April 2019 - 09:48 AM

so if im reading this right, you want to be able to log into app "a" and be able to use app "b, c, d" with the same credentials?

that is asking for a large security risk
Was This Post Helpful? 0
  • +
  • -

#3 fearfulsc2   User is offline

  • D.I.C Regular

Reputation: 16
  • View blog
  • Posts: 281
  • Joined: 25-May 16

Re: Windows Authentication SSO across applications

Posted 10 April 2019 - 09:58 AM

Yes, that is exactly. And what I mean by that is that we have many microservices and we are trying to secure all the API endpoints.

Our microservices can also call other microservices.

So what I was thinking is if we authenticate the user on the front-end from our proposed Authenticator service, we can pass them a cookie with their token inside(which will be set to expire after however many minutes/hours) and we can then use that cookie to be passed along through all the service calls. Each service will take the cookie and validate the token and will either allow or disallow certain actions based on that user's role/group.

Is that feasible?
Was This Post Helpful? 0
  • +
  • -

#4 DarenR   User is offline

  • D.I.C Lover

Reputation: 634
  • View blog
  • Posts: 4,218
  • Joined: 12-January 10

Re: Windows Authentication SSO across applications

Posted 10 April 2019 - 11:32 AM

you can also use sessions and have expire period---

so to recap you can use:

token
cookies
sessions


i use sessions here since you can set it once and be done but that would be up to you
Was This Post Helpful? 0
  • +
  • -

#5 fearfulsc2   User is offline

  • D.I.C Regular

Reputation: 16
  • View blog
  • Posts: 281
  • Joined: 25-May 16

Re: Windows Authentication SSO across applications

Posted 19 April 2019 - 12:36 PM

This is the approach I took.

I created a token generator and it would sign a token based. So if we had more than one front-end application, we can use different audiences and they would get signed by our token generator.

On our own services, we would use JWT as our Authentication scheme and set up our own policies such as users who have certain claims and those who don't. We also specified which audience(s) we were expecting. If it's not an audience we would expect, they are denied access.

On the front-end, we have a JWT interceptor so that way we can check to see when our token expires so that we can get a new one before we call a service so that way we don't get denied for no reason.
Was This Post Helpful? 0
  • +
  • -

Page 1 of 1