Integrating a LightSwitch app with a third-party authentication system and use single sign-on.

Introduction

Large enterprises often make use of a company-wide authentication system for all their internal applications.

This approach has major advantages:

  • all code and business logic related to authentication is centralised in one place;
  • the authentication mechanism can be integrated on the most suitable application layer;
  • the management of users is very convenient: when an employee leaves the company, his permissions for all applications she was previously subscribed, can be withdrawn by one mouse-click;

Nonetheless, there is an important drawback: each individual application (and typically, in a major enterprise, there are a lot of applications types: Mainframe, Java, .Net, …) needs to integrate in one way or another with this third-party authentication system.

Obviously, it is much easier to make this integration exercise when your application framework is more or less build on custom coding. The other side of the spectrum, a product, is much more difficult to integrate with the third-party authentication system.

Lightswitch keeps in a sense the middle between a product and an application development framework. Anyhow, it’s a very easy to do the kind of integration we are envisioning here.

The security context

Of course, the topic I cover here is rather generic. So let’s make following assumptions:

  • I can retrieve the user for which I have to enforce a single sign on, on the server side of my application, before the xap is accessed.
  • This makes it possible that I transform the security context of this user towards my LightSwitch app via a simple .aspx file.
  • For the rest, I’m just relying on the build-in security which LightSwitch offers (which is based on the classical aspnet membership database.

Include a transformSecurity.aspx file in the LS project

Open your LightSwitch solution and add a new file to the ServerGenerated project. This file has to be an aspx file.

You may remove the code behind file because I handle everything in the aspx file itself.

Give following content to this aspx file:

<%@ Page Title="Transform security" Language="C#" %>

<h2>

Your userId is not know for this application

</h2>

<script runat="server">

protected void Page_Load(object sender, EventArgs e)

{

string applicationName = "Application1"; //must match

string userId= RetrieveUserFromThirdPartySystem();

if (Membership.ValidateUser(userId, "genericPassword"))

{

FormsAuthentication.SetAuthCookie(userId, false);
string url = @"~/default.htm";

Response.Redirect(this.ResolveUrl(url));

}

}

</script>

 

Note the RetrieveUserFromThirdPartySystem() method. This content of this method depends of course on your third party authentication system. In most case, the authenticated user will be taken from the Http Header. Since we are playing here in the web world (rather than the silverlight), we can execute stuff like:  userId = HttpContext.Current.Request.Headers[“mySpecialHeaderTag”];

Note also the call to Membership.ValidateUser(userId, “genericPassword”),

where as password “genericPassword” is used. This seems to look as if every user in my security database will have the same password. I’ll tell you: that’s true and from a security perspective no problem at all. The reason is that the actual authentication is already done by the third-party authentication system.  The

FormsAuthentication.SetAuthCookie(userId, false);

will then make sure that the single sign-on really happens: the cookie is created based on the credentials of the already authenticated user.

When the user is authenticated, the default.htm page is opened. (that’ the one where the silverlight component is stored).

We need to make a slight adjustment to the web.config file in order to make sure that our aspx file is opened before the default.htm file  (which is normally accessed first).

 <defaultDocument>
      <files>
        <clear />
        <add value="transformSecurity.aspx" />
        <add value="default.htm" />
      </files>
    </defaultDocument>

You won’t believe it, but that’s all except one thing. How can we deploy the dedicated aspx file? Thanks to William Stacey, I know now that you can adjust the project file and make this happen. I will not reproduce here how to do this, you can read it on :  http://ourbizforward.com/LightSwitchTips/?ID=114. Thank a lot William.

 

Hope this helps.

paul.