How to join 2 existing Web systems into one authorization/authentication system

Question

we have 2 independent web systems (both has independent authentication systems). One of systems in ASP.MVC4.

How they can be joined ... simple and easy to use one authentication/authorization system.

UPDATE: Suppose that we have SSO, and both web apps are in different networks separated with Internet. How to secure communiation to send token through Internet in secure way?

Answer 1

The easiest way to share forms authentication is to get both applications to read each others authentication cookie.

This is only possible if both your applications are on the same domain. If they aren't on the same domain then the cookie will not be passed between the applications.

In order for each application to share cookies they need to have the same machine key defined in their Web.config files.

Manually add the same machine key element in each of your applications web config like the one below.

<machineKey 
  validationKey="CF4B1F0C30234C61CC44A26389CE218C77E9CB76C4FFB56AE24F9DDAAF251749408EA3E3B72EB9B29AF502F5533B59B4A9D1CEB7708D37CC9A53F18DDF66E84F"
  decryptionKey="A4174A48728061A454B419DBB61AD4262AB1C45309D9AB7219760674CF880C2C"
  validation="SHA1" decryption="AES"

/>

Hope this helps.

Answer 2

You should implement SSO. It deponse if you are using the same domain or not :

Same domain: It is very easy to achieve that by setting the domain property of the forms authentication cookie to the root domain and configuring the same machine keys for both applications, make sure that the target framework.Net is the same.

Cross domain SSO is more challenging, There are many steps :

• Setup a master domain for users to logon. For example logon.com
• hen a non-authenticated user attempts to access a protected resource on some of the 2 applications he is redirected to the logon domain for authentication.
• he user authenticates and the logon domain generates a session identifier containing the username of the logged in user. This session id is encrypted using symmetric algorithm with a shared secret between the 3 domains. The logon domain also sets a forms authentication cookie to indicate that the user is already authenticated there
• The logon domain redirects back to the protected resource passing along the session identifier.
• The application holding the protected resource decrypts the session id to extract the username and set a forms authentication cookie on its domain.
• The user requests a protected resource on the second domain
• Since he is not yet authenticated he is redirected to the logon domain
• The user is already authenticated on the logon domain and a session identifier using the same technique is generated and passed back
• The second domain decrypts the session identifier to extract the username and emit a forms authentication cookie for the second domain.

You can find more information here