2

Background Info: We've develop 3 standalone ASP.NET application that now are also being sold as a suite. A customer is able to order either 1, 2 or all applications.

Being standalone applications, this brings a challenge to us and we're not entirely sure how to fix it: authentication. The applications all have their own Indentity implementation, which forces the customer to create each user account 3 times and users need to log on seperatly for each application. As a result, the clients request a SSO implementation.

Problem: We've done some research to SSO and the Thinktecture IdentityServer seems really nice and able to solve our problem. However, users are connected to some entities in the applications. We've encountered some problems:

  • How to ensure consistency (or foreign keys) between the IdentityServer and the three client applications?
  • Users need to be available from within the application the moment they are created (users need to be able to select other users, even though they haven't logged on yet). How do we make sure users are created in the applications when the user is created in identity server?

Possibly we're entirely on the wrong track - are there any other solutions to solve the problem we're facing? Many thanks in advance..

Improve this question

2 Answers 2

Reset to default
1

First off, keep in mind that there is an OWIN Authorization server baked into the vs2013 web template, and you can tear it out into a standalone server if you so choose. In other words, the Thinktecture server isn't your only option, although it is more robust and full featured.

To address your issue at hand, a couple of options come to mind:

  1. Break your user management out into a separate database and a separate DbContext. You can manage all the users in a single, centralized database, and reuse the DbContext and derived IdentityUser classes if you write the code as a class library. This is the easier, faster, and less complex way to handle the situation.
  2. Create a secured Web API for creating users and include it on all 3 sites. Subclass the Identity UserManager and make call to the other two sites to create the user first on the other sites, then on the current site. Upon failure on any of the sites, don't create the user and roll back on any sites where a user was created. This option would require quite a bit more work than the first option since you'd have to keep things in sync, but if for some reason you cant use a single database for user management, this would work.
Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

You need to turn off a DBA in your head and look on things differently. Foreign keys are only available in relational databases, and even there you can't always link to entities in other DB, even if DBs are sitting on the same server.

So let go the "Foreign key" requirement and just use usernames or UserIds (probably GUIDs) to associate your domain objects with users.

As for the second requirement - I'm not sure what the question is. If you are saying you need to create domain entities for users that don't exist yet, then you are screwed anyway - you can't work with something that does not exist. Simple answer is to create Users in Identity server first, then create domain entities for that user. And then later on you can change the user properties and give username/password to real people for usage.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.