Single Sign On Module

The single sign on module consists of an ASP.Net MVC application which provides a user repository, account creation and single sign on services.
The application architecture generally follows a RESTfull pattern for providing services to users and external applications (clients).

Definitions

SSO Server The central services responsible for authenticating user, managing single sign on sessions and providing profile information to known applications.
Client An application that communicates with the SSO server.
Trusted client An client that is known by SSO server – the SSO server has the client’s name and public key.
User A human user.

Actions

SignIn

https://sherwood/SignIn?RequestParameters
Provides an authentication interface for users and a means of returning authentication tickets to SSO clients.

Request parameters

ReturnURL URL to redirect the user to after authentication. If not provided, the user will be redirected to a default URL (specified in web.config)
SignoutURL (optional) URL to call if the user signs out (to allow SSO clients to implement single sign out).
ClientSessionId Id which uniquely identifies the user session with an SSO client application.

Return/signout url replacement macros

The following macros can be included in the ReturnURL and SignoutURL request parameters and will automatically be replaced by the SSO Server:
{signinticket} Base64("SI"|SsoSessionId|ClientSessionId|IPAddress|UserId|Timestamp)
{signoutticket} Base64("SO"|SsoSessionId|ClientSessionId|IPAddress|UserId|Timestamp)
{signinsignature} E(H({signinticket}),PrK_Sso)
{signoutsignature} E(H({signoutticket}),PrK_Sso)

The sign-in ticket differs only from the signout ticket in that it is prefixed with SI instead of SO. This means that a sign-in ticket cannot be re-sent by a 3rd party to force a sign-out. Tickets can be signed using the private key of the of the SSO Server to provide confidence that they were issued by the SSO server.
Base64 encoding is optional. It provides some obscurity, but no private information is actually getting passed -- the most important thing is that the origins of the ticket requests are known to be the SSO Server.

SignOut

https://sherwood/SignOut[?RequestParameters]
Signs out user and displays login page. Parameters for a subsequent sign in (return URL etc) can optionally be provided.

Services/Authenticate

https://sherwood/Services/Authenticate?RequestParameters
The Authenticate service allows trusted clients to authenticate users and returns the user's profile.

Request parameters

Username User's username
Password User's password
ClientCode Unique identifier for the client
Timestamp UTC time of request in the following format: yyyy-MM-ddTHH:mm:ss.fffZ e.g. 2002-05-30T22:30:10.550Z
Signature E(H({ClientCode|Timestamp}),PrK_Client) -- identifies the client as the sender

Response

Failed authentication: (empty string)
Successful authentication: ProfileXMl
<?xml version="1.0" encoding="utf-8"?>
<UserProfile xmlns="http://Sherwood.codeplex.com/Sherwood.Sso/Schemas">
  <id>{userAccountId}</id>
  <username>joe.bloggs</username>
  <firstName>Joe</firstName>
  <lastName>Bloggs</lastName>
  <cultureName>en-US</cultureName>
  <country>US</country>
  <dateOfBirth>1950-01-01T00:00:00</dateOfBirth>
  <gender>0=unspecified,1=male,2=female</gender>
  <email>joe.bloggs@sherwood.codeplex.com</email>
</UserProfile>



Services/GetUserProfile

https://sherwood/Services/GetUserProfile?RequestParameters
The GetUserProfile service allows trusted clients to get a user's profile information.

Request parameters

UserAccountId User's useraccountid
Email User's email address
Username User's username
ClientCode Unique identifier for the client
Timestamp Time of request
Signature E(H({ClientCode|Timestamp}),PrK_Client) -- identifies the client as the sender

Response

Invalid email/username/useraccountId or unknown client: (empty string)
Valid username/email/useraccountId and client:: ProfileXML

Note that only one of userAccountId, email or username need to be provided. This service is essentially a "lookup" service allowing trusted/known clients to retreive profile information.

Services/IsSessionActive

https://sherwood/Services/IsSessionActive?RequestParameters
The IsSessionActive service allows trusted clients to check if a session is still active (an alternative to notification based single sign-out).

Request parameters

SsoSessionId SessionId returned by SSO Server
ClientCode Unique identifier for the client
Timestamp Time of request
Signature E(H({ClientCode|Timestamp}),PrK_Client) -- identifies the client as the sender

Response

Expired/invalid sessionId or unknown client: (empty string)
Valid sessionId and client:: ProfileXML

Last edited May 14, 2010 at 1:25 PM by rvanoord, version 18

Comments

No comments yet.