<foreword>Please read this explanation of Forms Based Authentication (FBA) first if you are unfamiliar with how FBA works or is implemented. </foreword>
Achieving single sign-on capabilities using Forms Based Authentication is much easier than I had initially expected, yet it took awhile to find the exact settings required. To get FBA working in SharePoint click here for a good starter from the SharePoint team blog. I also used this article from MSDN as a reference for ultimately determining what settings were necessary in our environment.
Small back story for what we are doing. We have a SharePoint farm that has split authentication: Windows Integrated for users on the network at the office and FBA for users out in the field on the extranet. Separate from our SharePoint farm is a .Net web application to assist with password reset and registration. When the user logs in to SharePoint via FBA they are redirected to the external application if there is any problem with their account. We wanted to implement single sign-on between the applications so that a user wasn’t re-prompted for credentials after the redirect.
The general solution involved the following main items:
- Changes to both applications’ web.config files
- Configuring host headers for each app to be in the same domain lookup
- 1 line of code to read authentication cookie
So let’s review what was added to get this working starting with the web.config entries.
<machineKey validationKey="value" decryptionKey="value"
validation="value" decryption="value" />
For the web.config entries you’ll need to ensure that both apps are set to Forms authentication. Next specify a “name” value which will be used to identify your authentication cookie on the receiving application. By default this value is “.ASPXAUTH”. Specify the domain that each web application will be run under. Using host headers your site URLs might look like “site1.mydomain.com” and “site2.mydomain.com”. Specify protection=”All” so that the authentication cookie is encrypted using the machineKey value that you specify. Lastly provide identical machineKey entries on each web application so that both can read the authentication cookie provided by each other. I used a free random machine key generator in my development environment, but you’ll probably want your security team to handle generating and keeping track of keys for non-development environments.
string loggedInUser = FormsAuthentication.Decrypt(Request.Cookies.Get("cookieName").Value).Name