Passing parameter SecurityToken to a different asp.net mvc website in a POST doesn't work to allow Single Sing-On

Question

I have couple of websites A, B, C ..... Website A: is an authentication website, depending on the user name, password and an extra parameter; Website A redirect a successful user login to Website B. When the user is logged I get in the Website A a Token derived from System.IdentityModel.Tokens.SecurityToken. My first approach was trying to pass that Token to the other website via POST request but with no success because the token is too large. First I thought it was serializable but no: GenericXmlSecurityToken can be converted to XML using ToTokenXmlString(). This is an extension method on Thinktecture.IdentityModel.Extensions, below I am attaching the description of the class

public static class SecurityTokensExtensions
{
        public static ClaimsPrincipal ToClaimsPrincipal(this SecurityToken token, SecurityTokenHandlerCollection handler);
        public static ClaimsPrincipal ToClaimsPrincipal(this SecurityToken token, X509Certificate2 signingCertificate);
        public static ClaimsPrincipal ToClaimsPrincipal(this SecurityToken token, X509Certificate2 signingCertificate, string audienceUri);
        public static SecurityToken ToSecurityToken(this GenericXmlSecurityToken token);
        public static SecurityToken ToSecurityToken(this GenericXmlSecurityToken token, SecurityTokenHandlerCollection handler);
        public static SecurityToken ToSecurityToken(this GenericXmlSecurityToken token, X509Certificate2 decryptionCertificate);
        public static string ToTokenXmlString(this GenericXmlSecurityToken token);
        public static string ToTokenXmlString(this SecurityToken token);
        public static string ToTokenXmlString(this SecurityToken token, SecurityTokenHandlerCollection handler);
}

As you can see we can convert the XML to String but not of the methods above takes that string and returns a SecurityToken, instead they take GenericXmlSecurityToken. The constructor of that class is here and depends on more than one parameter.

https://msdn.microsoft.com/en-us/library/system.identitymodel.tokens.genericxmlsecuritytoken.genericxmlsecuritytoken(v=vs.110).aspx

Questions:

Do I need to add something in my webconfigs to make this possible
withouth a POST?
Can I Serialize the SecurityToken and POST it to Website B and Deserialize it again with all original values(which is the approach on this case).

score 0 · Answer 1 · answered May 06 '15 at 07:05

0

The proper solution would be to use an STS that both websites use for authentication. Manually posting tokens around is a bit hacky.

That said - you can construct an GenericXmlSecurityToken from the XML string. IIRC you can simply pass null to all the ctor arguments that you don't know about.

answered May 06 '15 at 07:05

leastprivilege

18,196
1
34
50

I am using an STS, but I do not know how to configure properly, so my solution goes from one point to another. Can you give an example of how looks the web configs of both sites using STS. In my website A I made the authentication login, so I have one controller that says if the user was successful logged. After the authentication how can I redirect the control to the other website with the authentication? See that I will not have public the url address of the website B so no one can go directly to B to try to make the login, instead A knows how to redirect a user to the proper website – Zinov May 06 '15 at 12:45

Passing parameter SecurityToken to a different asp.net mvc website in a POST doesn't work to allow Single Sing-On

1 Answers1