Building an SSO-Enabled Web Application
Beginning with Release 3.1 of the LDS .NET Stack, you can easily enable your web application to participate in the WAM single sign-on (SSO) solution.
- 1 Preparation
- 2 Enabling SSO
- 3 Testing your application using the SSO Simulator
- 4 Forcing Sign out and Sign in
- Visit http://WAM (https://ldsteams.ldschurch.org/sites/wam/GettingStarted/Home.aspx) for an overview of the features of WAM at the Church, and to learn what LDS Account attributes will be available for your application through SSO Headers.
- Visit the SSO Simulator Getting Started guide.
- Install the NuGet Package Manager if you have not already done so. See Installing NuGet Package Manager for detailed instructions.
Referencing the LDS .NET Stack Library
In a new web project, add a reference to the LDS .NET Stack Library using the NuGet Package Manager.
Modifying your configuration to enable SSO
Web.config and find the following element (usually added near the bottom of the file):
<Lds.Stack> <stackSecurity ssoEnabled="false"> <!-- ... --> </stackSecurity> </Lds.Stack>
Change the value of
true to allow your application to participate in SSO.
Note: When SSO is enabled, you will not be able to sign in using Forms Authentication, even if you have Forms Authentication configured in
Because the SSO Headers are parsed to an
LdsAccountUser, no other changes to your Stack-enabled code are required.
Testing your application using the SSO Simulator
Note: More detail about installing, configuring and running the SSO Simulator can be found in the SSO Simulator Getting Started guide.
Installing the Java Development Kit (JDK)
In our testing, we found that it was always simplest to uninstall the Java Runtime Environment (JRE) before installing the JDK (which includes the JRE anyway). The current version of the JDK can be downloaded from http://www.oracle.com/technetwork/java/javase/downloads/index.html.
To allow your SSO Simulator to set cookies for a "protected" domain actually running on a development computer, it is useful to set a domain pointing to the local machine. For convenience and consistency, we recommend something as easy as
local.ldschurch.org. To add this domain entry, open
c:\Windows\system32\drivers\etc\hosts in a text editor (running as Administrator if you're using Windows 7) and add the following line:
Downloading the executable Jar file
Download the latest version of the executable Jar file from the SSO Simulator Downloads page.
Configuring the SSO Simulator
The SSO Simulator allows for advanced scenarios, and in-depth details can be found in the Configuration File Documentation. However, you can get started quickly and confirm that your application is SSO-enabled with the SSOCheck.xml configuration file.
You will need to make at least one change to the SSOCheck.xml file before you can use it locally. Find the
target-port token on line 14 and replace
16157 with the actual port of your application (this may be the specific port defined in your project for the ASP.NET Development Server, or port 80 for a local IIS app).
Starting the SSO Simulator from the Command Line
For additional options and parameters, refer to the SSO Simulator Getting Started guide. For the most common "quick start" scenarios, open a command prompt and execute this command:
java -jar SSOSim-5.26.jar <path to config file>
Leave this process running during your local testing, since it will act as an HTTP proxy for your web application.
Note: If you change your SSO Simulator configuration file, you will need to stop and restart the process.
Debugging your application using the SSO Simulator as a proxy
While you can definitely start your application in debug mode and then manually browse to the proxy URL, you may find it even easier to modify your project settings to use the SSO Simulator proxy URL by default.
This technique works whether you are running your application on local IIS or using the ASP.NET Development server, so long as you have correctly updated your SSO Simulator configuration file to point to the correct target port.
Forcing Sign out and Sign in
Forcing Sign out
To force sign out, create a link to your application root with
signmeout as the querystring value. For example,
<a href="/?signmeout">Sign Out</a> would create a link which, when clicked, would sign the current user out of SSO for all applications.
Forcing Sign in
Consider carefully whether you have a business case for forcing a user who is already signed in to sign in again. To force sign in, redirect the user to the current page or the application root with
signmein as the