Which security context an iframe uses to load its source page?

1
votes

I have a sharepoint page inside which is an iframe to another asp.net site.

1) I'm just wondering using which security context the iframe loads the asp.net page? * Current logged on user to sharepoint * Current windows identity (the person who has logged on to the PC)

In my tests it's apparently the later but just not quite sure.

2) How to set the iframe to load the asp.net page using the sharepoint user credentials?

Thanks for your help.

2
securitysharepointiframecredentials
I think you may need to provide a little more information. What form of authentication are using (for both sites). Where are both sites hosted (different sites on same server?). If you are windows authenticating on Sharepoint and the IFRAMEd ASP.NET site is on a totally different external website then you're out of luck as you'd be mix/matching your authentication credentials. - Paul Hadfield
I left it for you to advise on the authentication. They both are currently using NTLM but I doubt it's the right authentication. different sites on different servers. Even if I put both sites on the same server, I don't think it would differ, would it? the iframe still will use the user's credentials rather than SharePoint credentials - or please correct me if it's wrong. - Dynamic

2 Answers

0
votes

If you are loading something in an iframe this is all happening on the client, so it is equivalent to navigating to a page on another site. You will need to authenticate again on that other site, unless you have some SSO mechanism.

0
votes

One way is this:

  1. from the custom sharepoint sso login page (you can use either FBA or Windows Authentication), a request is made to an auth web service which accepts username, hashed-password and domain of the user, stores them in memory or database along with a userKeyToken. It validates the input arguments and when they are valid and can be authenticated, it sends back a userKeyToken which is an encrypted value representing the logged in user. it can use a symmetric encryption algorithm; not sure which one is the safest to use.

  2. The login page on the client site, stores this key as a cookie or in its session; perhaps session is better since it's in memory.

  3. iframe sends this key as querystring (or a cookie?) to the second site and the second site checks the userKeyToken, if it's still valid then proceeds...

Hope it helps someone with the same problem.