0

I have made asp.net mvc application that have custom forms authentication. Beside that it needs to authenticate user from sharepoint (in other words I need to pass user from sharepoint to asp mvc application). SP and asp mvc app are in the same domain and SP is using AD to authenticate user. I have searched google/so and so far I haven`t got any good solution.

Note: I need secure way of passing user from sp to asp mvc application ... I saw few examples that pass user thought URL parameter and I think that this is not secure thing to do.

Improve this question
3
  • Yes, they are in the same domain and users on SP are authenticated thought it. Commented Jan 30, 2012 at 14:14
  • no i mean are they on like sharepoint.somesite.com or mvc.somesite.com Commented Jan 30, 2012 at 14:15
  • We haven`t decided that yet, but if putting both apps in same domain is giving us advantage then we will put them in same domain... Commented Jan 30, 2012 at 14:18

2 Answers 2

Reset to default
2

Why not to use url paramenter?

public class SecureToken {
    public Int32 UserId {get;set;}
    public DateTime DateCreated {get;set;}
    public DateTime ValidTill {get;set;}

    public SecureToken (Int32 userId) {
        this.UserId = userId;
        this.DateCreated = DateTime.Now;
        this.ValidTill = this.DateCreated.AddMinutes(0.5);
    }
    public String ToEncryptedToken() {
        // Do serialization,
        // Then encrypt with, for example TrippleDES
        // Escape for url
        // return the string arguement for url
    }

    public static SecureToken Decrypt(String input) {
        // If the DateCreated == ValidTill - 30 seconds
        // If validTill > Now
        // If decryptable
        // Return deserialized token
        // else throw Authentication error.
    }
}

The point here is that the token while in URL is viable only for 30 seconds. As an additional parameter you can use HMAC-SHA 256 during serialization and check weather this is really your token.

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

Well if there is no other way around, then i will use url parameter or cookie.
@IvanMilosavljevic would be very grateful if you could share your code/solution for the benefit all other users
0

You could configure SP for a custom forms auth provider which in turn validates to the domain - then you are sharing forms auth tokens between apps which is fairly easy:

http://msdn.microsoft.com/en-us/library/ie/eb0zx8fc.aspx

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.