SiteB中可以限制访问只有经过身份验证的网站A的用户?怎么样? [英] Can SiteB Restrict Access Only to Users Authenticated on Site A? How?
问题描述
我最近一直在要求估计一个作品,这将提供功能用于身份验证的用户访问我们的网站。问题是,用户在不同的网站和放大器验证;域我们是东道主之一。
I have recently been asked to estimate a piece of work which will provide functionality for authenticated users to access our site. The thing is, the user has to authenticate on a different site & domain to the one we are hosting.
用户的身份验证和SiteA.com他们提供了一个链接到我们的网站,网站B。只有谁对站点A认证的用户被允许访问SiteB.com。
The user authenticates on SiteA.com and they are provided with a link to our site, SiteB. Only users who have authenticated on SiteA are allowed to access SiteB.com.
我还不知道什么是认证系统站点A正在使用,但我想我会问社会为一些初步想法。这甚至可能?我需要什么考虑?
I don't yet know what authentication system SiteA is using, but I thought I'd ask the community for some initial thoughts. Is this even possible? What do I need to consider?
感谢
推荐答案
单点登录是可以使用的表单验证。具体操作步骤如下:
Single Sign On is possible using Forms Authentication. Here are the steps:
- 配置两个站点窗体身份验证和设置的相同 机键(这是第4步很重要)。
- 用户的身份验证和SiteA.com一个cookie发出他在这个网站。
- 伪造的站点A的链接,会后载SiteB.com在一个隐藏字段添加到页面中的身份验证Cookie值,不需要身份验证(请确保您只张贴了HTTPS)的形式。
- 在SiteB.com页面读取贴标记的值,使用的 FormsAuthentication.GetAuthCookie
- 重定向到SiteB.com的认证部分
- Configure both sites for forms authentication and setup same machine keys (this is important for step 4).
- User authenticates on SiteA.com and a cookie is issued for him on this site.
- Forge a link on SiteA that would POST a form containing the authentication cookie value in a hidden field to a page on SiteB.com that doesn't require authentication (make sure you post only over HTTPS).
- The page on SiteB.com reads the value of the posted token, decrypts it and issues an authentication cookie for SiteB.com using FormsAuthentication.GetAuthCookie
- Redirect to the authenticated part of SiteB.com
这篇关于SiteB中可以限制访问只有经过身份验证的网站A的用户?怎么样?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!