Security :: Extending Asp Forms Auth To Be Multi Tenant / Domain?
Jan 24, 2010
I am developing a web application which implements membership, roles and profiles. I also want it to be multi-tenant / multi-domain. By this I mean that I will have hundreds of domain names pointing at the same web application. I want users to be able to create accounts at each individual domain. I want the opposite of "single sign on". I want users to be able to use the same username, email address and password (or different ones, at their choice) to create accounts at the different sites. I do not want users to have any awareness that the different domains have any relation to each other as they will look different and have different content. The first problem I run into is that usernames have to be unique within the forms auth aspnet db.
Well, if they want to use the same username to register on 10 different sites then I need to support that. My first thought was that instead of identifying a user by their username, I need to extend the aspnet tables and sprocs to consider the username + a unique site identifier. Is there any sample code or has anyone else ever done this before? Should I just abandon the built in aspnet forms auth and roll my own custom auth scheme? The data on the sites is not sensitive so security isn't really that important to me.
I have been seeking the best way, or at least a good way, to handle Client Access for a Multi-Tenant/SaaS-type web app designed with MVC 2.There are no tricks as far as client customizations needed here. So every company will have the same experience on the app. I just need to understand how I can isolate the experience so that a logged in user only sees data relevant to his company. My tactic is that my database houses a "tenantID" column for each row so I can easily isolate the rows that way. I am wondering if the default provider using the ASPNETDB.mdf can be modified to route users to their assigned company data. I have seen examples using route paths ({tenant}/{controller}/{action}/{id}) but even those threads express doubts. So if anyone has a good method that they are comfortable with, I am all ears (or eyes).
if it is possible to use a WCF Dataservice as the MemberShipProvider for a forms auth application. I have written code for a provider (below), but I do not know what to do as far as a connection string, or any other web.config properties. Please Help!!! Here is the code for my provider, anytime it says Odbc that is because I based this off of the custom Odbc provider on the msdn site. The only ACTUAL references to any odbc connection are in the comments:
Been scratching my head on this one today quite a bit. Time to ask the guru's.Implementing your basic Forms Auth for a 2.0 web app in conjunction with SQL Membership Provider and Role Provider. Web.Config from virtual directory root
[Code]....
All other subdirectories do not contain web.config files but rather wanted them to just work off inheritence from the root web.config. Upon publishing of this setup - I am having one hell of a time maintaining the user 'authenticated' state. (Not sure if that's the best explanation of what is going on.. but)
I'm building a multi-tenant ASP .NET application. Given that each tenant can configure their application dynamically (which may involve dynamic custom assemblies being loaded into memory), I need a means of isolating each tenant.
I'd prefer not to create a new Web Application per tenant for maintenance reasons.
I've was considering using the AppDomainManager to create an AppDomain per application, but it seems this is not intended to be used for ASP .NET applications.
I've been all around the net for weeks now trying to figure out the best way to set up a Multi-tenant website (building a web app that multiple companies and their employees will use). As far as a database goes, I am interested in using one database with a copied set of tables for each company. As far as managing the login and security in MVC2 I am lost with the myriad of examples (mostly old and not MVC) that I have seen. So ideally my app would allow a company rep to register their company and then be able to add their own employees to the site. Then all employees could login and be securely associated with their own company's tables (table names would be appended with their AccountID).
I'm not sure if this would be handled using routing or session variables or what the more ideal and up to date methods might be. Like others who have discussed this issue, it seems like this should be a much more fleshed out solution as it is becoming a more common use on the internet. I'm even willing to simplify the database down to one set of tables that stores an AccountID in each row if needed.
In a multitenant system that hosts multiple organizations and applications, where an organization may use several applications hosted on the system, should my user and role model be such that a single user or role can exist across multiple applications and organizations? Or should I limit a user entity to a single organization/application pair and then define some overarching model to tie those user entities together? That is: John Doe is a person He wants to use ApplicationA and ApplicationB He works for two different companies (just bear with me), OrganizationA and OrganizationB Should the user model be:
johndoe@someuniquesuffix is his unique user name. This gives him access to both applications for both organizations. johndoe@applicationa@organizationa is his username for ApplicationA at OrganizationA. [URL]is his username for ApplicationB at organizationA...and the same for OrganizationB. Then have some "master" list that says that all 4 user accounts for the apps/orgs correspond to the same actual "person", John Doe?
The same scenario(s) described above applies to how I will design my Role schema.
I can do the database and security side with no problems, I can also get the hostname from the URL, but what I am struggling to find out is how to create the basic plumbing that would allow a new customer to sign up online, provide their company name, and for the application to create the new URL, ready to be used straight away.
im trying to build my first multi-tenant application, i used a shared database and it is complete now, i want to build the app now, and i tried this approach: all urls in the app have the following form ~/user/page.aspx(user directory is logical) where user is the current user, which is saved in a session after he logs in. when the user requests a page, say ~/user/profile.aspx, he is routed to the real page ~/profile.aspx and then his data are retrieved from the database. i dont think this is how multi tenant applications work, but i couldnt think of another method.
I currently have a MVC2 application hosted on premise that allows the user to add custom extensions (controllers, filters, views, validators) so that they can extend the application to suit their needs. I'm using MEF as my composition container, but MVC2 relies on the extensions (assemblies, views and scripts) to be located in a particular directory or found at runtime based on a configuration setting. The MEF catalog is instantiated at startup meaning if any new extensions are required to be added or updated then the application needs to be restarted. This is all fine in a single-tenant world but now I want to make it multi-tenant hosted in the azure cloud.
The problem I forsee is the location of the custom extensions and how they are deployed. My initial thought is to use azure blob storage (one per tenant) to store the custom extensions and then download per-session (rather than Application Startup), however in the past the way MVC has worked is it tries to resolve assemblies and find views within the current AppDomain whereas my assemblies and their embedded resources will be in memory.
I'm after a bit of advice on how to handle a multi tenant site in ASP.NET from a UI perspective. What I want to be able to offer is a choice of layouts to the client i.e.
Layout 1: Navigation horizontal at the top. Search results in a table in the middle. Some text at the bottom.
Layout 2: Navigation vertical on the left. Some text in the middle. Search results at the bottom
Layout 3, Layout 4, Layout x etc...
Each element within the various layouts can differ too. For example, the search results might look like simple list in Layout 1, but will have a completely different look in Layout 2. Once a client has decided on Layout x, I then need to apply their company identity to the layout by changing the colours, logos, etc.
I have scoured the web and have yet to find and example that matches my requirements.
What I have is an existing multi-tenant asp.net application where all users authenticate against a single SQL Server database. This database also contains several other settings type data that is used within the application. Each client after authentication, utilizes thier own SQL Server database for data storage, for isolation purposes. Essentially all of the client database are identical and reside on the same server, but reside on one or more servers as well.
The application is currently written in asp.net 2.5 framework and utilizes the Micrsoft Practices Enterprise Library for DAL. Wnd we are looking to migrate to 4.0 and implement NHibernate to replace the MPEL.
I have implemented a solution already using NHibernate and the 4.0 framework, so I am familar with the concepts. I found the resources for my current session manager here as a matter of fact. But that application only had a single database, so not much too it.
The implementation is essentially what you see here:
[URL]
The other solutions that I have seen multiple config entries and/or files to manage this, but that is not desireable, since we may add new clients frequently and all of the connection information is already maintained in the authentication database.
My application is used by several customers, who needs to maintain their own database. Currently I'm keeping all the connectionstrings and according to the user, change it. (In a case of CRUD operation). Is this errenous way? I don't know much about MultiTenant applications. Is that the best solution for my problem?
we are building a multi-tenant application, which will support that each tenant can have a unique top level domain, the application is build using the asp.net 3.5 and SQL servr 2005, while each tenant will have different database. I have seen a number of questions about the similar applications on the StackOverFlow, but none of them is related to the Testing, I want to know is how one can test the application in a development environment, specially How can we test that each customer connects to his own DB based on the URL. how can we emulate different domains on the local system. like [URL] and [URL]all goes to dev machine's IIS.
We're running IIS7 and have windows authentication enabled. Everything else is disabled. When we go to the page though, we aren't prompted for a windows logon, but are redirected to the default forms authentication login page (Accoun
I have done some research and tried to find answers on how to integrate forms authentication with ASP.NET but all I can find is for 2.0. I don't mean to sound ignorant or annoying about it, but does anyone have a quick link to somewhere where I could find out how to integrate a custom SQL Server DB (with username, password, id, etc columns for user) with ASP.NET 4.0?My application is actually a Silverlight Business Application where I am trying to log in/register users in a separate Database in a SQL Server 2008 engine
I am having difficulty deploying a Silverlight 4 RIA services Web app to IIS 6 on Windows Server 2003. The application works fine when running on the development server. However, when deployed to a production server, all the Web service calls redirect to the login page.
Here are the details:
The site uses forms authentication. Login is via an ASP.NET Web page; the Silverlight application does not have its own version of the login page. Login is working correctly.
MSVS 2005 asp.net 2.0 ajax Enabled site MS SQL server 2005
User/logon On server required name: MyDBLogon, access to project database MyFormsAuth
Download project from here : http://www.screencast.com/t/ZmE3ZWM4ZDMt(NOTE: Select 'Download this media' as the top of page) Also I use the FREE trial demo of this tool : http://www.qualitydata.com/products/aspnet-membership/download.aspx
Project : The Member logs on with email address and password.
admin logon is : admin@yahoo.co.nz, password is 12345
The issue: I use Logonview control to show menu for each role type. See 'controls' folder.
When You first run the project you will see it in the main page...LIke
"Admin, Members, MembersX, Welcome etc"
Logon..it works fine.
The test.. close browser, to test Authentication ticket cookie.
Re run view project ( we are now testing the forms authentication process as cookie is being read to see if authentictaion is still active).
When the page runs, and authenication is active, proven by going to public page IsAuthenticated=true", fine, BUT The page direction usercontrol ( ie logonview control) is not visible, it doesnt work on the new browser run ??
I have multiple sites with main and subdomain. all doing one same method for the login. login is done with the multi domain cookie but there is problem with the logout. I'm using cookie and session for that state.
When ever I logout form the any domain. I should logout form the all domain.
(Like yahoo or google)
As per my method , My all domain have logout page which has code
[Code]....
and main site(www.domain.com) have [Code]....
So what can I change in this code to do the Logout process for the all subdomains.
I am working on a site that uses windows authentication, but I have one page for password resets that I want to allow anonymous access to.I have tried doing authorization, allow users="*", but it doesn't appear to work with this.Do I need to have another seperate site for this section?
I'm trying to setup my IIS 7.0 MVC2 site but having problems.I want to use Integrated Security so that the app can obtain the user's credentials. We can then do a look-up of some AD groups to determine what they can do from that point onwards.The problem is - Every time we browse to the application, instead of navigating to our main page immediately, we get a login prompt provided by IE. I've read that we need to make sure that in the browser's Tools->Options->Advanced-> (Securiy-> ENable Windows Intagrated Security) must be checked - which it is on ALL 3 machines where I try this.
The machines AND the server are all in the same domain.My config file states <authentication mode="Windows" /> and I've tried every combination for <identity...> and <authorization...> but to no avail. I can only get the "login" prompt to go away if I enable Anonymous Authentication - but then I can't detect the windows user or their group membership.
Let's say I'm currently authenticated in an application (namely: applicationA) and I click a link that will take me to another application (namely: applicationB). Is it correct that in order to bypass authentication of applicationB, I'll just create a ticket for that application telling the web server that I'm already authenticated?
My feeling says it's not posible but anyway I am curious if there is at least a workaround for accomplish this.Basically I am working at my client site and my machine is not connected to the domain.What I want to do is running a web application locally under a domain account, and using the webdev server.The webapp uses the default authentication, windows authentication that is.I tried using impersonation with domainuser & password but I got the following error Could not create Windows user token from the credentials specified in the config file. Error from the operating system 'Logon failure: unknown user name or bad password.I have to mention that the username and the password are correct.