SSO(Single Sign-on) in ASP.NET and Php using Webservices?

Question

I'm trying to implement SSO in my asp.net and php site. I set up a webservice ~/Webservice.asmx on my asp.net site providing a method called IsUserOnline(string userName) and then I coded php page like

require_once("nusoap/nusoap.php");
$client = new nusoap_client("http://www.myaspnetsite.com/Webservice.asmx?WSDL", "wsdl","", "", "", "");
$err = $client->getError();
if ($err) {
echo "error ..." . $err . ;
}
$param = "username";
$result = $client->call("IsUserOnline", $param, "", "", false, true);

And then I can use result to check if the user is online or not. I can always use the code to check on each php pages or just check it once and create a login status on php site. Do you think is it a good solution? What's the security issue? The speed issue?

Answer 1

An easiest way of doing SSO between sites is a shared cookie - the only requirement is the same domain (as cookies are shared only in the same domain).

Just create a web site responsible for logging users. Let the site create an encrypted cookie upon succesful login. Then each of your application check whether the cookie exists or not and asks the service to decrypt it and return the user info. Signing out consist in deleting the cookie - all your sites react by logging users out when they try to access pages.

There are several existing frameworks based on this idea, check JOSSO for example.

If you'd rather like to implement an enterprise solution, check the WS-Federation protocol. Its implementation is possible with the Windows Identity Foundation framework. Just read the "Programming Windows Identity Foundation" book by Vittorio Bertocci and you'll get all the details.