How do I open a link from one web application to another that is already authenticated?
We have one web application (sharepoint) that collects information from different sources. We would like to be able to connect users to the main websites of these various sources and be pre-authenticated. I.E. they enter their credentials for other sources (which are different types of LDAP, AD and home grown!) and we get some information for them and remember the details there (maybe Single Sign-on to keep them nice and secure) ... The user can then click the link, which will open the complete application in another completed window.
Perhaps it is possible?
source to share
You need to act as the web browser runs on different sites with credentials (usually in cookies) stored locally. So use a proper cookie-enabled client library. This is probably possible for most sites. There are sites that use HTTP authentication, which are also easier to obtain from their respective client libraries. Accessing SSL sites may be the most demanding, but then again, most HTTP client libraries cover that these days.
Now, you only need to prepare your web application to act as a proxy for all these individual web resources. How exactly is this done in Sharepoint, well hopefully others will answer that ...
source to share
True Single Sign-on is a big challenge. Wikipedia describes common techniques and links to several SSO projects.
If you want something lighter, I've used this approach in the past:
- Create a table to store temporary security tokens somewhere that all applications can access.
- In the original application (Sharepoint in your case), when requested by the external application, store the security token (possibly manual, expiration and user ID) in the token table.
- Redirect to the page / handler of the request broker in the target application. Include the last requested page and index in the request.
- Find the security token in the broker. If it exists and hasn't expired, log in, log in and redirect to the last page if everything is ok. If not, please submit the permissions with errors.
For security reasons, the guide should be nearly impossible to guess. You can reduce the risk by assuming that tokens expire very quickly - it doesn't take more than a few seconds to call the broker.
If the target application uses Windows Auth and doesn't have role-based logic, you don't have to do much. Just redirect and let the / UrlAuthorization file handle it. You can handle role based permissions with security db token if needed.
source to share