A Single Sign-in Web Service in ASP.NET

Most of today's sites require users to undertake a registration process to allow the site owners to keep in touch with, or offer services to, those visitors. Building up a user base like this requires patience and dedication. Offer a new service or a new Website, however, and, typically, you'll need to start your user base from scratch yet again.

This article outlines a strategy for creating portable membership tools. We'll see how Web Services and server controls give you ability to produce a single sign-in for all your sites and resources.

The Challenge

The notion of a single sign-in for a Website has been around for years. Most notably, Microsoft's implementation in the form of the .NET Passport, and the Liberty Alliance Project (backed by big hitters like Visa and GM), have had moderate success in saving users and developers from the issues of site membership.

However, the license fees of systems like Passport put it out of the reach of many Web developers. Passport, for example, costs $10,000 a year and an additional $1,500 compliance fee per URL.

While the tools outlined in this article won't give you all the advantages of using Passport (most notably, Passport's 200 million-strong user base, or its security), the solution we'll discuss does offer a simple method of organising your user base over multiple sites or resources.

Architecture

The design of the tools needs to be such that we can create separate applications -- even non-.NET applications -- and still access and authenticate our user base.

Web Services

The heart of the login system is a Web service. A Web service allows you to extract and distribute specific functionality of your applications so that it can be reused by other applications, even if they aren't written in .NET. This provides the perfect platform for our login system, affording us the flexibility to produce some of our sites as non-.NET applications; for example, PHP, ASP, or JSP. We can even write desktop applications to include our login functionality.

Database Design

A database will contain information for all our users, and is queried by the Web service to authenticate, locate, and return users to our applications. As only the Web service will communicate with the database directly, our applications will not need to know how to access the database, nor deal with SQL statements.

The Member Object

The Web service will use a Member object defined by us to represent a user of our site. This object will give us access to the details of the currently signed-in user.

User Controls

After we produce our Web service, we can build some ASP.NET user controls that encapsulate the common functionality of user registration and authentication. The user controls will communicate with the Web service, presenting us with simple properties and events to control the membership of our site.

Designing the Login Web Service

The Web service needs to encapsulate all the functionality we'll require to register and authenticate a user; hence it will require the following methods:

bool createUser(Member m)
     Member authenticateUser(string userName, string password)

Of course, this isn't all the functionality that's possible. We could, for example, have methods to control the modification of a user, the loss of a password, or the removal of a user from our system. However, this article will concentrate on creation and authentication.

Both of the methods reference an object, Member. This class will represent a user; it contains all the information we know about the user we're dealing with. The class will have the following properties:

string userName;
     string hashedPassword;
     string emailAddress;
     string fullName;

Here's the C# source code for this class. There's nothing fancy here, just code for the four properties:

namespace Sitepoint.SingleLogIn
{
     
 public class Member
 {
   private string _UserName;
   private string _Password;
   private string _FullName;
   private string _EmailAddress;
 
   public string UserName
   {
      get
      {
        return _UserName;
      }
      set
      {
        _UserName = value;
      }
   }
 
   public string Password
   {
     get
     {
       return _Password;
     }
     set
     {
       _Password = value;
     }    
   }
 
   public string EmailAddress
   {
     get
     {
       return _EmailAddress;
     }
     set
     {
       _EmailAddress = value;
     }    
   }
 
   public string FullName
   {
     get
     {
       return _FullName;
     }
     set
     {
       _FullName = value;
     }
   }  
 }
}

To create a user on our system, we first create an instance of the Member class and fill it with the personal information for the user. We then pass this to the createUser method on the Web service. This returns true for a successful addition, and false if a problem is found with the information (for example, if the username already exists).

To authenticate a user, we pass that user's username and password to the Web service and, if these details are authenticated, a Member object representing the user is returned.

A database table will be used to store our user details. The fields of this table will correspond to the user information:

Hence, the SQL we'll use to create the table is as follows:

CREATE TABLE User
{
     ID int IDENTITY (1,1) NOT NULL,
     UserName varchar(200) NOT NULL,
     Password varchar(64) NOT NULL,
     EmailAddress varchar(200),
     FullName varchar(200)
}

With the database created, and our Member class coded, we can now flesh out the methods in the Web service to include our functionality.

The createUser method will first check to see if the username contained within the passed Member object has been registered before (implemented in the private method userExists). If it has, the method will return false. If all is well, however, the user can be added to the database (through the private method addUser).