Pass authenticated user from sharepoint to asp mvc application

0
votes

I have made asp.net mvc application that have custom forms authentication. Beside that it needs to authenticate user from sharepoint (in other words I need to pass user from sharepoint to asp mvc application). SP and asp mvc app are in the same domain and SP is using AD to authenticate user. I have searched google/so and so far I haven`t got any good solution.

Note: I need secure way of passing user from sp to asp mvc application ... I saw few examples that pass user thought URL parameter and I think that this is not secure thing to do.

2
asp.net-mvcasp.net-mvc-3sharepointasp.net-mvc-2sharepoint-2010
Yes, they are in the same domain and users on SP are authenticated thought it.Ivan Milosavljevic
no i mean are they on like sharepoint.somesite.com or mvc.somesite.comDaniel A. White
We haven`t decided that yet, but if putting both apps in same domain is giving us advantage then we will put them in same domain...Ivan Milosavljevic

2 Answers

2
votes

Why not to use url paramenter?

public class SecureToken {
    public Int32 UserId {get;set;}
    public DateTime DateCreated {get;set;}
    public DateTime ValidTill {get;set;}

    public SecureToken (Int32 userId) {
        this.UserId = userId;
        this.DateCreated = DateTime.Now;
        this.ValidTill = this.DateCreated.AddMinutes(0.5);
    }
    public String ToEncryptedToken() {
        // Do serialization,
        // Then encrypt with, for example TrippleDES
        // Escape for url
        // return the string arguement for url
    }

    public static SecureToken Decrypt(String input) {
        // If the DateCreated == ValidTill - 30 seconds
        // If validTill > Now
        // If decryptable
        // Return deserialized token
        // else throw Authentication error.
    }
}

The point here is that the token while in URL is viable only for 30 seconds. As an additional parameter you can use HMAC-SHA 256 during serialization and check weather this is really your token.

0
votes

You could configure SP for a custom forms auth provider which in turn validates to the domain - then you are sharing forms auth tokens between apps which is fairly easy:

http://msdn.microsoft.com/en-us/library/ie/eb0zx8fc.aspx