Single Sign On

Topics: Business Logic Layer
Mar 26, 2009 at 11:46 AM
Is there a way to disable the login process and authenticate a user "automatically"? User will be already logged in to the application and this blogging feature should be accessed w/o loging in again...
Mar 26, 2009 at 10:32 PM
How is the person logging into the existing application (forms authentication, windows authentication)?  Will everyone visiting the blog be already logged into the existing application?  Or will there be some blog visitors who are not already logged into the existing application?

You can try changing the forms authentication cookie name and roles cookie name in BE so they match the cookie names used in your existing application.  In the default BE web.config file there is:

<forms timeout="129600" name=".AUXBLOGENGINE" protection="All" slidingExpiration="true" loginUrl="~/login.aspx" cookieless="UseCookies"/>
... and ...
<roleManager defaultProvider="XmlRoleProvider" enabled="true" cacheRolesInCookie="true" cookieName=".BLOGENGINEROLES">

If you changed .AUXBLOGENGINE to match the forms authentication cookie name in the existing application and changed .BLOGENGINEROLES to match the roles cookie name used in the existing application, then the cookie they get when logging into the existing application might carry over into BE.

I say "might" because there are other factors.  For instance, do the "roles" defined in the existing application match the roles in the BE application.  The BE roles are Administrators and Editors.  Also does the host name of the existing application match the host name of the BE?  In other words, are they both at the same domain name.  Are they in the same path ... or is BE installed in a subfolder off the main application.
Mar 27, 2009 at 12:09 AM
Correct. The user would be already logged in via Forms Auth. Great info that you have provided, thank you. In regards to your last paragraph, the BE is going to be in a sub folder within the folder structure of the main web app. (same domain).

Everything seems doable. I am a bit concerned about the roles. I am going to have to try and see if I can make it work
Mar 27, 2009 at 1:45 AM
If everyone accessing the blog should automatically be considered logged in, a quick way to do this would be with an HttpModule.  I just put one together that might suit your needs.  It's called AutoLogin.  You would need to register this HttpModule in your web.config file.  If you are on IIS6 and have a <httpModules> element in your web.config, you would want to add the line below into your <httpModules> section.

<add name="AutoLogin" type="AutoLogin"/>

If you're on IIS7, you will probably have a <modules> element within the <system.webServer> section in your web.config file.  If you have that, you would want to add the same line above into the <modules> section.

The actual HttpModule can be named AutoLogin.cs and put into your App_Code folder.  The contents of this AutoLogin.cs file is below.  This module will automatically log in anyone coming to the blog, if they are not already logged in.  It logs them in under the "admin" user account.  If you don't have an "admin" user account setup in BE (on the Users tab in the control panel), you can change it to log in under an existing user account you already have setup.  The change would be made on the FormsAuthentication.SetAuthCookie() line.

using System;
using System.Collections.Generic;
using System.Web;
using System.Web.Security;

public class AutoLogin : IHttpModule
    public void Dispose()
        // Nothing to dispose

    /// <summary>
    /// </summary>
    /// <param name="context"></param>
    public void Init(HttpApplication context)
        context.AuthorizeRequest += new EventHandler(context_AuthorizeRequest);

    /// <summary>
    /// Handles the AuthorizeRequest event of the context control.
    /// </summary>
    /// <param name="sender">The source of the event.</param>
    /// <param name="e">The <see cref="System.EventArgs"/> instance containing the event data.</param>
    private void context_AuthorizeRequest(object sender, EventArgs e)
        HttpContext context = ((HttpApplication)sender).Context;

        if (context.User == null)

        // ignore requests for non ASPX resources (jpg, gif, asmx, axd, etc).
        if (!System.IO.Path.GetExtension(context.Request.Path).Equals(".aspx", StringComparison.OrdinalIgnoreCase))

        if (!context.User.Identity.IsAuthenticated)
            FormsAuthentication.SetAuthCookie("admin", true);
Mar 27, 2009 at 6:06 PM
Edited Mar 28, 2009 at 3:41 AM
Thank you! We use IIS6. I will be trying your suggestion soon. The bottom line is that this is doable and not too involved.
Dec 6, 2010 at 1:12 PM

Ben -

Trying your method for Single Sign On but wondering how it may work with AD Authentication?  Also, trying this with BlogEngine.NET v2.0 RC.  I like the new Roles Control and Admin interface but having issues making Single Sign On work at all or like I want it to work.

Jan 6, 2011 at 9:02 AM
Edited Jan 6, 2011 at 9:05 AM

when i register HTTP module in web.config and run the code from the VS it works fine but when i browse using iis6 it never goes to the Autologin class.Please give suggestion how to make it work...

Jan 7, 2011 at 9:02 PM

I think it might work if you use the same membership provider for both BE and your application. If you're using AO Authentication, try to configure BE to use AO Authentication (Role providers should be separate).


Jan 7, 2011 at 9:23 PM

I've just looked inside the XmlRoleProvider and it actually gets user data from users.xml file. So, it won't work, unless we'll make some changes first.


Jan 10, 2011 at 1:55 AM

I managed set up BE with another membership provider and XmlRoleProvider. You would need to pull the latest source to try it.